Update networking page to make it clear that the ipv6 feature only affects qubes-configured networking

Merge branch 'pr-1433'

developer/building/development-workflow.md

@@ -12,42 +12,41 @@ title: Development workflow
 
 A workflow for developing Qubes OS+
 
-First things first, setup [QubesBuilder](/doc/qubes-builder/). This guide
-assumes you're using qubes-builder to build Qubes.
+To begin, setup [QubesBuilder](/doc/qubes-builder-v2/). This guide
+assumes you're using qubes-builder v2 to build Qubes.
 
 ## Repositories and committing Code
 
-Qubes is split into a bunch of git repos. These are all contained in the
-`qubes-src` directory under qubes-builder. Subdirectories there are separate
-components, stored in separate git repositories.
+Qubes source code is split into many git repos. These are all contained in the
+`artifacts/sources` directory under qubes-builder. Subdirectories there are
+separate components, stored in separate git repositories.
 
 The best way to write and contribute code is to create a git repo somewhere
-(e.g., github) for the repo you are interested in editing (e.g.,
+(e.g., GitHub) for the repo you are interested in editing (e.g.,
 `qubes-manager`, `core-agent-linux`, etc). To integrate your repo with the rest
 of Qubes, cd to the repo directory and add your repository as a remote in git
 
 **Example:**
 
 ~~~
-$ cd qubes-builder/qubes-src/qubes-manager
-$ git remote add abel git@github.com:abeluck/qubes-manager.git
+$ cd qubes-builder/artifacts/sources/qubes-manager
+$ git remote add abel git@GitHub.com:abeluck/qubes-manager.git
 ~~~
 
 You can then proceed to easily develop in your own branches, pull in new
-commits from the dev branches, merge them, and eventually push to your own repo
-on github.
+commits from the dev branches, merge them, and eventually push to your own repo.
 
 When you are ready to submit your changes to Qubes to be merged, push your
 changes, then create a signed git tag (using `git tag -s`). Finally, send a
-letter to the Qubes listserv describing the changes and including the link to
-your repository. You can also create pull request on github. Don't forget to
-include your public PGP key you use to sign your tags.
+letter to the Qubes listserv describing the changes, and including a link to
+your repository. If you are using GitHub you can instead create a pull request.
+Don't forget to include the public PGP key you use to sign your tags.
 
 ### Kernel-specific notes
 
 #### Prepare fresh version of kernel sources, with Qubes-specific patches applied
 
-In qubes-builder/qubes-src/linux-kernel:
+In qubes-builder/artifacts/sources/linux-kernel:
 
 ~~~
 make prep
@@ -66,7 +65,7 @@ drwxr-xr-x  6 user user 4096 Nov 21 20:48 kernel-3.4.18/linux-obj
 
 #### Go to the kernel tree and update the version
 
-In qubes-builder/qubes-src/linux-kernel:
+In qubes-builder/artifacts/sources/linux-kernel:
 
 ~~~
 cd kernel-3.4.18/linux-3.4.18
@@ -117,9 +116,7 @@ vi series.conf
 
 #### Building RPMs
 
-TODO: Is this step generic for all subsystems?
-
-Now it is a good moment to make sure you have changed kernel release name in
+Now is a good moment to make sure you have changed the kernel release name in
 rel file. For example, if you change it to '1debug201211116c' the
 resulting RPMs will be named
 'kernel-3.4.18-1debug20121116c.pvops.qubes.x86\_64.rpm'. This will help
@@ -131,34 +128,23 @@ your changes locally.
 To actually build RPMs, in qubes-builder:
 
 ~~~
-make linux-kernel
+./qb -c linux-kernel package fetch prep build
 ~~~
 
-RPMs will appear in qubes-src/linux-kernel/pkgs/fc20/x86\_64:
+RPMs will appear in
+`artifacts/repository/destination_name/package_name`
+(for example `artifacts/repository/host-fc37/linux-kernel-6.6.31-1.1/`
 
-~~~
--rw-rw-r-- 1 user user 42996126 Nov 17 04:08 kernel-3.4.18-1debug20121116c.pvops.qubes.x86_64.rpm
--rw-rw-r-- 1 user user 43001450 Nov 17 05:36 kernel-3.4.18-1debug20121117a.pvops.qubes.x86_64.rpm
--rw-rw-r-- 1 user user  8940138 Nov 17 04:08 kernel-devel-3.4.18-1debug20121116c.pvops.qubes.x86_64.rpm
--rw-rw-r-- 1 user user  8937818 Nov 17 05:36 kernel-devel-3.4.18-1debug20121117a.pvops.qubes.x86_64.rpm
--rw-rw-r-- 1 user user 54490741 Nov 17 04:08 kernel-qubes-vm-3.4.18-1debug20121116c.pvops.qubes.x86_64.rpm
--rw-rw-r-- 1 user user 54502117 Nov 17 05:37 kernel-qubes-vm-3.4.18-1debug20121117a.pvops.qubes.x86_64.rpm
-~~~
+### Useful [QubesBuilder](/doc/qubes-builder-v2/) commands
 
-### Useful [QubesBuilder](/doc/qubes-builder/) commands
-
-1. `make check` - will check if all the code was committed into repository and
-if all repository are tagged with signed tag.
-2. `make show-vtags` - show version of each component (based on git tags) -
-mostly useful just before building ISO. **Note:** this will not show version
-for components containing changes since last version tag.
-3. `make push` - push change from **all** repositories to git server. You must
-set proper remotes (see above) for all repositories first.
-4. `make prepare-merge` - fetch changes from remote repositories (can be
-specified on commandline via GIT\_SUBDIR or GIT\_REMOTE vars), (optionally)
-verify tags and show the changes. This do not merge the changes - there are
-left for review as FETCH\_HEAD ref. You can merge them using `git merge
-FETCH_HEAD` (in each repo directory). Or `make do-merge` to merge all of them.
+1. `./qb package diff` - show uncommitted changes
+2. ` ./qb repository check-release-status-for-component` and
+`./qb repository check-release-status-for-template`- show version of each
+   component/template (based on git tags)
+3. `./qb package sign` -  sign built packages
+4. `./qb package publish` and `./qb package upload` - publish signed packages
+   and upload published
+   repository
 
 ## Copying Code to dom0
 
@@ -297,12 +283,12 @@ if [ "$1" = "tb" ]; then
     exit $?
 fi
 
-git remote add $1 git@github.com:$1/qubes-`basename $PWD`
+git remote add $1 git@GitHub.com:$1/qubes-`basename $PWD`
 ~~~
 
 It should be executed from component top level directory. This script takes one
 argument - remote name. If it is `tb`, then it creates qrexec-based git remote
-to `testbuilder` VM. Otherwise it creates remote pointing at github account of
+to `testbuilder` VM. Otherwise it creates remote pointing at GitHub account of
 the same name. In any case it points at repository matching current directory
 name.
 
@@ -321,7 +307,7 @@ current and current-testing).
 
 ### RPM packages - yum repo
 
-In source VM, grab [linux-yum](https://github.com/QubesOS/qubes-linux-yum) repository (below is assumed you've made it in
+In source VM, grab [linux-yum](https://GitHub.com/QubesOS/qubes-linux-yum) repository (below is assumed you've made it in
 `~/repo-yum-upload` directory) and replace `update_repo.sh` script with:
 
 ~~~
@@ -337,7 +323,7 @@ find -type f -name '*.rpm' -delete
 qrexec-client-vm $VMNAME local.UpdateYum
 ~~~
 
-In target VM, setup actual yum repository (also based on [linux-yum](https://github.com/QubesOS/qubes-linux-yum), this time
+In target VM, setup actual yum repository (also based on [linux-yum](https://GitHub.com/QubesOS/qubes-linux-yum), this time
 without modifications). You will also need to setup some gpg key for signing
 packages (it is possible to force yum to install unsigned packages, but it
 isn't possible for `qubes-dom0-update` tool). Fill `~/.rpmmacros` with
@@ -417,7 +403,7 @@ Remember to also import gpg public key using `rpm --import`.
 
 Steps are mostly the same as in the case of yum repo. The only details that differ:
 
-- use [linux-deb](https://github.com/QubesOS/qubes-linux-deb) instead of [linux-yum](https://github.com/QubesOS/qubes-linux-yum) as a base - both in source and target VM
+- use [linux-deb](https://GitHub.com/QubesOS/qubes-linux-deb) instead of [linux-yum](https://GitHub.com/QubesOS/qubes-linux-yum) as a base - both in source and target VM
 - use different `update_repo.sh` script in source VM (below)
 - use `local.UpdateApt` qrexec service in target VM (code below)
 - in target VM additionally place `update-local-repo.sh` script in repository dir (code below)

developer/building/qubes-builder-v2.md

@@ -0,0 +1,162 @@
+---
+lang: en
+layout: doc
+permalink: /doc/qubes-builder-v2/
+redirect_from:
+- /en/doc/qubes-builder-v2/
+- /doc/QubesBuilder2/
+- /wiki/QubesBuilder2/
+ref: 311
+title: Qubes builder v2
+---
+
+This is a brief introduction to using Qubes Builder v2 to work with Qubes OS
+sources. It will walk you through installing and configuring Builder v2, and
+using it to fetch and build Qubes OS packages.
+
+For details and customization, use [Qubes OS v2 builder documentation](https://github.com/QubesOS/qubes-builderv2/).
+
+# Overview
+
+In the second generation of Qubes OS builder, container or disposable qube
+isolation is used to perform every stage of the build and release process.
+From fetching sources to building, everything is executed inside an isolated
+*cage* (either a disposable or a container) using an *executor*. For every
+command that needs to perform an action on sources, like cloning and
+verifying Git repos, rendering a SPEC file, generating SRPM or Debian
+source packages, a new cage is used. Only the signing, publishing, and
+uploading stages are executed locally outside a cage.
+
+
+# Setup
+
+This is a simple setup using a docker executor. This is a good default choice;
+if you don't know which executor to use, use docker.
+
+1. First, decide what qube you are going to use when working with Qubes
+   Builder v2. It can be an AppVM or a Standalone qube, with some steps
+   different between the two.
+
+2. Installing dependencies
+
+   If you want to use an app qube for developing, install dependencies in the template.
+   If you are using a standalone, install them in the qube itself.
+    Dependencies are specified in `dependencies-*.
+   txt` files in the main builder directory, and you can install them easily
+   in the following ways:
+   1. for Fedora, use:
+    ```shell
+    $ sudo dnf install $(cat dependencies-fedora.txt)
+    $ test -f /usr/share/qubes/marker-vm && sudo dnf install qubes-gpg-split
+   ```
+   2. for Debian (note: some Debian packages require Debian version 13 or
+      later), use:
+    ```shell
+    $ sudo apt install $(cat dependencies-debian.txt)
+    $ test -f /usr/share/qubes/marker-vm && sudo apt install qubes-gpg-split
+   ```
+
+    If you have installed dependencies in the template, close it, and
+    (re)start the development qube.
+
+3. Clone the qubes-builder v2 repository into a location of your choice:
+    ```shell
+    git clone https://github.com/QubesOS/qubes-builderv2
+    cd qubes-builderv2/
+    ```
+
+4. If you haven't previously used docker in the current qube, you need to set up
+   some permissions. In particular, the user has to be added to the `docker`
+   group:
+    ```shell
+   $ sudo usermod -aG docker user
+    ```
+    Next, **restart the qube**.
+
+5. Finally, you need to generate a docker image:
+    ```shell
+   $ tools/generate-container-image.sh docker
+    ```
+
+   In an app qube, as `/var/lib/docker` is not persistent by default, you also
+   need to use [bind-dirs](/doc/bind-dirs/) to avoid repeating this step after reboot, adding
+   the following to the `/rw/config/qubes-bind-dirs.d/docker.conf` file in
+   this qube:
+
+   ```
+   binds+=( '/var/lib/docker' )
+   ```
+
+# Configuration
+
+To use Qubes OS Builder v2, you need to have a `builder.yml` configuration file.
+You can use one of the sample files from the `example-configs/` directory; for a
+more readable `builder.yml`, you can also include one of the files from that
+directory in your `builder.yml`. An example `builder.yml` is:
+
+```yaml
+# include configuration relevant for the current release
+include:
+- example-configs/qubes-os-r4.2.yml
+
+# which repository to use to fetch sources
+use-qubes-repo:
+  version: 4.2
+  testing: true
+
+# each package built will have local build number appended to package release
+# number. It makes it easier to update in testing environment
+increment-devel-versions: true
+
+# reduce output
+debug: false
+
+# this can be set to true if you do not want sources to be automatically
+# fetched from git
+skip-git-fetch: false
+
+# executor configuration
+executor:
+  type: docker
+  options:
+    image: "qubes-builder-fedora:latest"
+
+```
+
+
+# Using Builder v2
+
+To fetch sources - in this example, for the `core-admin-client` package, you
+can use the following command:
+
+```shell
+$ ./qb -c core-admin-client package fetch
+```
+
+This will fetch the sources for the listed package and place them in
+`artifacts/sources` directory.
+
+To build a package (from sources in the `artifacts/sources` directory), use:
+
+```shell
+$ ./qb -c core-admin-client package fetch prep build
+```
+
+or, if you want to build for a specific target (`host-fc37` is a `dom0`
+using Fedora 37, `vm-fc40` would be a qube using Fedora 40 etc.), use:
+
+```shell
+$ ./qb -c core-admin-client -d host-fc37 package fetch prep build
+```
+
+If you want to fetch the entire Qubes OS source use the following:
+
+```shell
+$ ./qb package fetch
+```
+
+**caution**: some repositories might have additional requirements. You can
+disable repositories that are not needed in the `example-configs/*.yml`
+file you are using by commenting them out. In particular, `python-fido2`,
+`lvm` and `windows`-related repositories have special requirements.
+

developer/debugging/automated-tests.md

@@ -132,7 +132,7 @@ Whereas integration tests are mostly stored in the [qubes-core-admin](https://gi
 To for example run the `qubes-core-admin` unit tests, you currently have to clone at least [qubes-core-admin](https://github.com/QubesOS/qubes-core-admin) and
 its dependency [qubes-core-qrexec](https://github.com/QubesOS/qubes-core-qrexec) repository in the branches that you want to test.
 
-The below example however will assume that you set up a build environment as described in the [Qubes Builder documentation](/doc/qubes-builder/).
+The below example however will assume that you set up a build environment as described in the [Qubes Builder documentation](/doc/qubes-builder-v2/).
 
 Assuming you cloned the `qubes-builder` repository to your home directory inside a fedora VM, you can use the following commands to run the unit tests:
 

developer/debugging/test-bench.md

@@ -205,9 +205,10 @@ pushd ${HOME}/builder >/dev/null
 
 # the following are needed only if you have sources outside builder
 #rm -rf qubes-src/core-admin
-#make COMPONENTS=core-admin get-sources
+#qb -c core-admin package fetch
 
-make core-admin
+qb -c core-admin -d host-fc41 prep build
+# update your dom0 fedora distribution as appropriate
 qtb-install qubes-src/core-admin/rpm/x86_64/qubes-core-dom0-*.rpm
 qtb-runtests
 ```

developer/general/gsoc.md

@@ -31,7 +31,7 @@ You should start learning the components that you plan on working on before the
 
 Coming up with an interesting idea that you can realistically achieve in the time available to you (one summer) is probably the most difficult part. We strongly recommend getting involved in advance of the beginning of GSoC, and we will look favorably on applications from prospective contributors who have already started to act like free and open source developers.
 
-Before the summer starts, there are some preparatory tasks which are highly encouraged. First, if you aren't already, definitely start using Qubes as your primary OS as soon as possible! Also, it is encouraged that you become familiar and comfortable with the Qubes development workflow sooner than later. A good way to do this (and also a great way to stand out as an awesome applicant and make us want to accept you!) might be to pick up some issues from [qubes-issues](https://github.com/QubesOS/qubes-issues/issues) (our issue-tracking repo) and submit some patches addressing them. Some suitable issues might be those with tags ["help wanted" and "P: minor"](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue%20is%3Aopen%20label%3A%22P%3A%20minor%22%20label%3A%22help%20wanted%22) (although more significant things are also welcome, of course). Doing this will get you some practice with [qubes-builder](/doc/qubes-builder/), our code-signing policies, and some familiarity with our code base in general so you are ready to hit the ground running come summer.
+Before the summer starts, there are some preparatory tasks which are highly encouraged. First, if you aren't already, definitely start using Qubes as your primary OS as soon as possible! Also, it is encouraged that you become familiar and comfortable with the Qubes development workflow sooner than later. A good way to do this (and also a great way to stand out as an awesome applicant and make us want to accept you!) might be to pick up some issues from [qubes-issues](https://github.com/QubesOS/qubes-issues/issues) (our issue-tracking repo) and submit some patches addressing them. Some suitable issues might be those with tags ["help wanted" and "P: minor"](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue%20is%3Aopen%20label%3A%22P%3A%20minor%22%20label%3A%22help%20wanted%22) (although more significant things are also welcome, of course). Doing this will get you some practice with [qubes-builder](/doc/qubes-builder-v2/), our code-signing policies, and some familiarity with our code base in general so you are ready to hit the ground running come summer.
 
 ### Contributor proposal guidelines
 
@@ -422,7 +422,7 @@ for more information and qubes-specific background.
 
 **Difficulty**: medium
 
-**Knowledge prerequisite**: qubes-builder [[1]](/doc/qubes-builder/) [[2]](/doc/qubes-builder-details/) [[3]](https://github.com/QubesOS/qubes-builder/tree/master/doc), and efficient at introspecting complex systems: comfortable with tracing and debugging tools, ability to quickly identify and locate issues within a large codebase (upstream build tools), etc.
+**Knowledge prerequisite**: qubes-builder [[1]](/doc/qubes-builder-v2/) [[2]](https://github.com/QubesOS/qubes-builderv2), and efficient at introspecting complex systems: comfortable with tracing and debugging tools, ability to quickly identify and locate issues within a large codebase (upstream build tools), etc.
 
 **Size of the project**: 350 hours
 

developer/system/networking.md

@@ -62,9 +62,12 @@ Such configuration can be expressed by enabling `ipv6` feature only on some subs
 
 ![ipv6-2](/attachment/doc/ipv6-2.png)
 
-Besides enabling IPv6 forwarding, standard Qubes firewall can be used to limit what network resources are available to each qube. Currently only `qvm-firewall` command support adding IPv6 rules, GUI firewall editor will have this ability later.
+Besides enabling IPv6 forwarding, the standard Qubes firewall can be used to limit what network resources are available to each qube. Currently only the `qvm-firewall` command supports adding IPv6 rules, the GUI firewall editor will have this ability later.
+
+**Note:** Setting or unsetting the `ipv6` feature only affects qubes-configured networking. It does not affect e.g. external interfaces. If you want to restrict IPv6 on these interfaces change the settings in Network Manager. Alternatively, disable IPv6 support using methods appropriate to the underlying template.
 
 ### Limitations
 
 Currently only IPv4 DNS servers are configured, regardless of `ipv6` feature state. It is done this way to avoid reconfiguring all connected qubes whenever IPv6 DNS becomes available or not. Configuring qubes to always use IPv6 DNS and only fallback to IPv4 may result in relatively long timeouts and poor usability.
 But note that DNS using IPv4 does not prevent to return IPv6 addresses. In practice this is only a problem for IPv6-only networks.
+

introduction/faq.md

@@ -678,7 +678,7 @@ Any rpm-based, 64-bit environment, the preferred OS being Fedora.
 
 ### How do I build Qubes from sources?
 
-See [these instructions](/doc/qubes-builder/).
+See [these instructions](/doc/qubes-builder-v2/).
 
 ### How do I submit a patch?
 

introduction/video-tours.md

@@ -22,7 +22,7 @@ Watch all the talks from Qubes OS Summit 2022, which took place September 9-11,
 
 ## Micah Lee presents "Qubes OS: The Operating System That Can Protect You Even If You Get Hacked"
 
-[Micah Lee](https://micahflee.com/), a long-time Qubes [advocate](/endorsements/), presented [Qubes OS: The Operating System That Can Protect You Even If You Get Hacked](https://www.hope.net/schedule.html#-qubes-os-the-operating-system-that-can-protect-you-even-if-you-get-hacked-) at the [Circle of HOPE](https://www.hope.net/index.html) conference, which took place July 20-22, 2018 in New York City.
+[Micah Lee](https://micahflee.com/), a long-time Qubes [advocate](/endorsements/), presented [Qubes OS: The Operating System That Can Protect You Even If You Get Hacked](https://archive.org/details/QubesOSTheOperatingSystemThatCanProtectYouEvenIfYouGetHackedTalkByMicahLee) at the Circle of HOPE conference, which took place July 20-22, 2018 in New York City.
 
 <div class="video more-bottom">
   <iframe class="responsive" referrerpolicy="no-referrer" scrolling="no" allowfullscreen src="https://livestream.com/accounts/9197973/events/8286152/videos/178431606/player?autoPlay=false"></iframe>

user/advanced-topics/config-files.md

@@ -18,7 +18,7 @@ That way, they can be used to customize a single VM instead of all VMs based on
 The scripts here all run as root.
 
 - `/rw/config/rc.local` - script runs at VM startup.
-    Good place to change some service settings, replace config files with its copy stored in `/rw/config`, etc.
+    Good place to change some service settings, replace config files with its copy stored in `/rw/config`, etc. The script need to have the executable permission set to be executed.
     Example usage:
 
     ~~~
@@ -32,6 +32,8 @@ The scripts here all run as root.
     echo '127.0.0.1 example.com' >> /etc/hosts
     ~~~
 
+- `/rw/config/rc.local.d/*.rc` - scripts run at VM startup just before `/rw/config/rc.local`
+- `/rw/config/rc.local-early.d/*.rc`, `/rw/config/rc.local-early` - scripts similar to `/rw/config/rc.local`, but running earlier in the system startup sequence - just before `sysinit.target`, and setting up the network.
 - `/rw/config/qubes-ip-change-hook` - script runs in NetVM after every external IP change and on "hardware" link status change.
 
 - In ProxyVMs (or app qubes with `qubes-firewall` service enabled), scripts placed in the following directories will be executed in the listed order followed by `qubes-firewall-user-script` at start up.

user/downloading-installing-upgrading/installation-guide.md

@@ -91,25 +91,27 @@ This section will demonstrate a simple installation using mostly default setting
 
 ### Getting to the boot screen
 
-"Booting" is the process of starting your computer. When a computer boots up, it first runs low-level software before the main operating system. Depending on the computer, this low-level software is may be called the ["BIOS"](https://en.wikipedia.org/wiki/BIOS) or ["UEFI"](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface).
+"Booting" is the process of starting your computer. When a computer boots up, it first runs low-level software before the main operating system. Depending on the computer, this low-level software may be called the ["BIOS"](https://en.wikipedia.org/wiki/BIOS) or ["UEFI"](https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface).
 
 Since you're installing Qubes OS, you'll need to access your computer's BIOS or UEFI menu so that you can tell it to boot from the USB drive to which you just copied the Qubes installer ISO.
 
 To begin, power off your computer and plug the USB drive into a USB port, but don't press the power button yet. Right after you press the power button, you'll have to immediately press a specific key to enter the BIOS or UEFI menu. The key to press varies from brand to brand. `Esc`, `Del`, and `F10` are common ones. If you're not sure, you can search the web for `<COMPUTER_MODEL> BIOS key` or `<COMPUTER_MODEL> UEFI key` (replacing `<COMPUTER_MODEL>` with your specific computer model) or look it up in your computer's manual.
 
-Once you know the key to press, press your computer's power button, then repeatedly press that key until you've entered your computer's BIOS or UEFI menu. To give you and idea of what you should be looking for, we've provided a couple of example photos below.
+Once you know the key to press, press your computer's power button, then repeatedly press that key until you've entered your computer's BIOS or UEFI menu. To give you an idea of what you should be looking for, we've provided a couple of example photos below.
 
 Here's an example of what the BIOS menu looks like on a ThinkPad T430:
 
 [![ThinkPad T430 BIOS menu](/attachment/doc/Thinkpad-t430-bios-main.jpg)](/attachment/doc/Thinkpad-t430-bios-main.jpg)
 
-And here's an example of what a UEFI menu looks like:
+And here's an example of what a modern UEFI menu looks like:
 
 [![UEFI menu](/attachment/doc/uefi.jpeg)](/attachment/doc/uefi.jpeg)
 
-Once you access your computer's BIOS or UEFI menu, you'll want to go to the "boot menu," which is where you tell your computer which devices to boot from. The goal is to tell the computer to boot from your USB drive so that you can run the Qubes installer. If your boot menu lets you select which device to boot from first, simply select your USB drive. (If you have multiple entries that all look similar to your USB drive, and you're not sure which one is correct, one option is just to try each one until it works.) If, on the other hand, your boot menu presents you with a list of boot devices in order, then you'll want to move your USB drive to the top so that the Qubes installer runs before anything else.
+Once you access your computer's BIOS or UEFI menu, you'll want to go to the "boot menu", which is where you tell your computer which devices to boot from. The goal is to tell the computer to boot from your USB drive so that you can run the Qubes installer. If your boot menu lets you select which device to boot from first, simply select your USB drive. (If you have multiple entries that all look similar to your USB drive, and you're not sure which one is correct, one option is just to try each one until it works.) If, on the other hand, your boot menu presents you with a list of boot devices in order, then you'll want to move your USB drive to the top so that the Qubes installer runs before anything else.
 
-Once you're done on the boot menu, save your changes. How you do this depends on your BIOS or UEFI, but the instructions should be displayed right there on the screen or in a nearby tab. (If you're not sure whether you've saved your changes correctly, you can always reboot your computer and go back into the boot menu to check whether it still reflects your changes.) Once your BIOS or UEFI is configured the way you want it, reboot your computer. This time, don't press any special keys. Instead, let the BIOS or UEFI load and let your computer boot from your USB drive. If you're successful in this step, after a few seconds you'll be presented with the Qubes installer screen:
+Then, if you are on a computer using UEFI, you'll have to disable [Secure Boot](https://en.m.wikipedia.org/wiki/UEFI#SECURE-BOOT) to allow Qubes OS to boot.
+
+Once you're done with the settings, save your changes. How you do this depends on your BIOS or UEFI, but the instructions should be displayed right there on the screen or in a nearby tab. (If you're not sure whether you've saved your changes correctly, you can always reboot your computer and go back into the boot menu to check whether it still reflects your changes.) Once your BIOS or UEFI is configured the way you want it, reboot your computer. This time, don't press any special keys. Instead, let the BIOS or UEFI load and let your computer boot from your USB drive. If you're successful in this step, after a few seconds you'll be presented with the Qubes installer screen:
 
 [![Boot screen](/attachment/doc/boot-screen-4.2.png)](/attachment/doc/boot-screen-4.2.png)
 

user/downloading-installing-upgrading/testing.md

@@ -17,7 +17,7 @@ How to test upcoming Qubes OS releases:
 
 - Test the latest release candidate (RC) on the [downloads](/downloads/) page, if one is currently available. (Or try an older RC from our [FTP server](https://ftp.qubes-os.org/iso/).)
 - Try the [signed weekly builds](https://qubes.notset.fr/iso/). ([Learn more](https://forum.qubes-os.org/t/16929) and [track their status](https://github.com/fepitre/updates-status-iso/issues).)
-- Use [qubes-builder](/doc/qubes-builder/) to build the latest release yourself.
+- Use [qubes-builder](/doc/qubes-builder-v2/) to build the latest release yourself.
 - (No support) Experiment with developer alpha ISOs found from time to time at [Qubes OpenQA](https://openqa.qubes-os.org/).
 
 Please make sure to [report any bugs you encounter](/doc/issue-tracking/).

user/hardware/certified-hardware/certified-hardware.md

@@ -25,71 +25,19 @@ Qubes-certified computers are certified for a [major release](/doc/version-schem
 
 The current Qubes-certified models are listed below in reverse chronological order of certification.
 
-### NovaCustom V54 Series 14.0 inch coreboot laptop
-
-[![Photo of the NovaCustom V54 Series 14.0 inch coreboot laptop](/attachment/site/novacustom-v54-series.png)](https://novacustom.com/product/v54-series/)
-
-The [NovaCustom V54 Series 14.0 inch coreboot laptop](https://novacustom.com/product/v54-series/) is certified for Qubes OS Release 4.
-
-### NitroPad V56
-
-[![Photo of the NitroPad V56](/attachment/site/nitropad-v56.png)](https://shop.nitrokey.com/shop/nitropad-v56-684)
-
-The [NitroPad V56](https://shop.nitrokey.com/shop/nitropad-v56-684) is certified for Qubes OS Release 4.
-
-### NovaCustom V56 Series 16.0 inch coreboot laptop
-
-[![Photo of the NovaCustom V56 Series 16.0 inch coreboot laptop](/attachment/site/novacustom-v56-series.png)](https://novacustom.com/product/v56-series/)
-
-The [NovaCustom V56 Series 16.0 inch coreboot laptop](https://novacustom.com/product/v56-series/) is certified for Qubes OS Release 4.
-
-### NitroPC Pro 2
-
-[![Photo of the NitroPC Pro 2](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/nitropc-pro-2-523)
-
-The [NitroPC Pro 2](https://shop.nitrokey.com/shop/nitropc-pro-2-523) is a desktop based on the MSI PRO Z790-P DDR5 motherboard. It is certified for Qubes OS Release 4.
-
-### Star Labs StarBook
-
-[![Photo of the Star Labs StarBook](/attachment/site/starlabs-starbook.png)](https://starlabs.systems/pages/starbook)
-
-The [Star Labs StarBook](https://starlabs.systems/pages/starbook) is a 14-inch laptop. It is certified for Qubes OS Release 4.
-
-### NitroPC Pro
-
-[![Photo of the NitroPC Pro](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/product/nitropc-pro-523)
-
-The [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) is a desktop based on the MSI PRO Z690-A DDR5 motherboard. It is certified for Qubes OS Release 4.
-
-### NovaCustom NV41 Series
-
-[![Photo of the NovaCustom NV41 Series](/attachment/site/novacustom-nv41-series.png)](https://novacustom.com/product/nv41-series/)
-
-The [NovaCustom NV41 Series](https://novacustom.com/product/nv41-series/) is a 14-inch custom laptop. It is certified for Qubes OS Release 4.
-
-### Dasharo FidelisGuard Z690
-
-[![Photo of the Dasharo FidelisGuard Z690](/attachment/site/dasharo-fidelisguard-z690.jpg)](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
-
-The [Dasharo FidelisGuard Z690](https://3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) is a desktop based on the MSI PRO Z690-A DDR4 motherboard. It is certified for Qubes OS Release 4.
-
-### NitroPad T430
-
-[![Photo of the NitroPad T430](/attachment/site/nitropad-t430.jpg)](https://shop.nitrokey.com/shop/product/nitropad-t430-119)
-
-The [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) is a laptop based on the ThinkPad T430. It is certified for Qubes OS Release 4.
-
-### NitroPad X230
-
-[![Photo of the NitroPad X230](/attachment/site/nitropad-x230.jpg)](https://shop.nitrokey.com/shop/product/nitropad-x230-67)
-
-The [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) is a laptop based on the ThinkPad X230. It is certified for Qubes OS Release 4.
-
-### Insurgo PrivacyBeast X230
-
-[![Photo of the Insurgo PrivacyBeast X230](/attachment/site/insurgo-privacybeast-x230.png)](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/)
-
-The [Insurgo PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) is a laptop based on the ThinkPad X230. It is certified for Qubes OS Release 4.
+| Brand                                  | Model                                                                                                                                                                  | Certification details                                                       |
+| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- |
+| [NovaCustom](https://novacustom.com/)  | [V54 Series](https://novacustom.com/product/v54-series/)                                                                                                               | [Certification details](/doc/certified-hardware/novacustom-v54-series/)     |
+| [Nitrokey](https://www.nitrokey.com/)  | [NitroPad V56](https://shop.nitrokey.com/shop/nitropad-v56-684)                                                                                                        | [Certification details](/doc/certified-hardware/nitropad-v56/)              |
+| [NovaCustom](https://novacustom.com/)  | [V56 Series](https://novacustom.com/product/v56-series/)                                                                                                               | [Certification details](/doc/certified-hardware/novacustom-v56-series/)     |
+| [Nitrokey](https://www.nitrokey.com/)  | [NitroPC Pro 2](https://shop.nitrokey.com/shop/nitropc-pro-2-523)                                                                                                      | [Certification details](/doc/certified-hardware/nitropc-pro-2/)             |
+| [Star Labs](https://starlabs.systems/) | [StarBook](https://starlabs.systems/pages/starbook)                                                                                                                    | [Certification details](/doc/certified-hardware/starlabs-starbook/)         |
+| [Nitrokey](https://www.nitrokey.com/)  | [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523)                                                                                                  | [Certification details](/doc/certified-hardware/nitropc-pro/)               |
+| [NovaCustom](https://novacustom.com/)  | [NV41 Series](https://novacustom.com/product/nv41-series/)                                                                                                             | [Certification details](/doc/certified-hardware/novacustom-nv41-series/)    |
+| [3mdeb](https://3mdeb.com/)            | [Dasharo FidelisGuard Z690](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) | [Certification details](/doc/certified-hardware/dasharo-fidelisguard-z690/) |
+| [Nitrokey](https://www.nitrokey.com/)  | [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119)                                                                                              | [Certification details](/doc/certified-hardware/nitropad-t430/)             |
+| [Nitrokey](https://www.nitrokey.com/)  | [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67)                                                                                               | [Certification details](/doc/certified-hardware/nitropad-x230/)             |
+| [Insurgo](https://insurgo.ca/)         | [PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/)                                                         | [Certification details](/doc/certified-hardware/insurgo-privacybeast-x230/) |
 
 ## Become hardware certified
 

user/hardware/certified-hardware/dasharo-fidelisguard-z690.md

@@ -0,0 +1,38 @@
+---
+lang: en
+layout: doc
+permalink: /doc/certified-hardware/dasharo-fidelisguard-z690/
+title: Dasharo FidelisGuard Z690
+image: /attachment/posts/dasharo-fidelisguard-z690_2.jpg
+---
+
+The [Dasharo FidelisGuard Z690](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
+
+[![Photo of MSI PRO Z690-A DDR4 motherboard](/attachment/posts/dasharo-fidelisguard-z690_1.jpg)](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
+
+The [Dasharo FidelisGuard Z690](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) is a full desktop PC build that brings the [Dasharo](https://dasharo.com/) open-source firmware distribution to the MSI PRO Z690-A DDR4 motherboard with Qubes OS preinstalled. The full configuration includes:
+
+| Part         | Model Name                                                     |
+|------------- | -------------------------------------------------------------- |
+| CPU	         | Intel Core i5-12600K, 3.7GHz                                   |
+| Cooling	     | Noctua CPU NH-U12S Redux                                       |
+| RAM	         | Kingston Fury Beast, DDR4, 4x8GB (32 GB Total), 3600 MHz, CL17 |
+| Power Supply | Seasonic Focus PX 750W 80 Plus Platinum                        |
+| Storage      | SSD Intel 670p 512 GB M.2 2280 PCI-E x4 Gen3 NVMe              |
+| Enclosure	   | SilentiumPC Armis AR1                                          |
+
+[![Photo of Dasharo FidelisGuard Z690 with open case](/attachment/posts/dasharo-fidelisguard-z690_2.jpg)](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
+
+This computer comes with a "Dasharo Supporters Entrance Subscription," which includes the following:
+
+- Full access to [Dasharo Tools Suite (DTS)](https://docs.dasharo.com/dasharo-tools-suite/overview/)
+- The latest Dasharo releases issued by the Dasharo Team
+- Special Dasharo updates for supporters
+- Dasharo Premier Support through an invite-only Matrix channel
+- Influence on the Dasharo feature roadmap
+
+[![Photo of Dasharo FidelisGuard Z690 with open case](/attachment/posts/dasharo-fidelisguard-z690_3.jpg)](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)
+
+For further details, please see the [Dasharo FidelisGuard Z690](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/) product page.
+
+[![Photo of the outside of the Dasharo FidelisGuard Z690](/attachment/posts/dasharo-fidelisguard-z690_4.jpg)](https://web.archive.org/web/20240917145232/https://shop.3mdeb.com/shop/open-source-hardware/dasharo-fidelisguard-z690-qubes-os-certified/)

user/hardware/certified-hardware/insurgo-privacybeast-x230.md

@@ -0,0 +1,26 @@
+---
+lang: en
+layout: doc
+permalink: /doc/certified-hardware/insurgo-privacybeast-x230/
+title: Insurgo PrivacyBeast X230
+image: /attachment/site/insurgo-privacybeast-x230.png
+---
+
+<div class="alert alert-danger" role="alert">
+  <i class="fa fa-exclamation-triangle"></i>
+  <b>Warning:</b> The CPU in this computer no longer receives microcode updates from Intel. Without microcode updates, Qubes OS cannot ensure that this computer is secure against CPU vulnerabilities. While this computer remains certified for Qubes OS Release 4, we recommend that prospective buyers consider a newer Qubes-certified computer instead.
+</div>
+
+The [Insurgo PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
+
+[![Photo of the Insurgo PrivacyBeast X230](/attachment/site/insurgo-privacybeast-x230.png)](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/)
+
+The [Insurgo PrivacyBeast X230](https://insurgo.ca/produit/qubesos-certified-privacybeast_x230-reasonably-secured-laptop/) is a custom refurbished [ThinkPad X230](https://www.thinkwiki.org/wiki/Category:X230) that includes the following features:
+
+- [coreboot](https://www.coreboot.org/) initialization for the x230 is binary-blob-free, including native graphic initialization. Built with the [Heads](https://github.com/osresearch/heads/) payload, it delivers an [Anti Evil Maid (AEM)](/doc/anti-evil-maid/)-like solution built into the firmware. (Even though our [requirements](/doc/certified-hardware/#hardware-certification-requirements) provide an exception for CPU-vendor-provided blobs for silicon and memory initialization, Insurgo exceeds our requirements by insisting that these be absent from its machines.)
+
+- [Intel ME](https://libreboot.org/faq.html#intelme) is neutered through the AltMeDisable bit, while all modules other than ROMP and BUP, which are required to initialize main CPU, have been [deleted](https://github.com/osresearch/heads-wiki/blob/master/Clean-the-ME-firmware.md#how-to-disabledeactive-most-of-it).
+
+- A re-ownership process that allows it to ship pre-installed with Qubes OS, including full-disk encryption already in place, but where the final disk encryption key is regenerated only when the machine is first powered on by the user, so that the OEM doesn't know it.
+
+- [Heads](https://github.com/osresearch/heads/) provisioned pre-delivery to protect against malicious [interdiction](https://en.wikipedia.org/wiki/Interdiction).

user/hardware/certified-hardware/nitropad-t430.md

@@ -0,0 +1,30 @@
+---
+lang: en
+layout: doc
+permalink: /doc/certified-hardware/nitropad-t430/
+title: NitroPad T430
+image: /attachment/site/nitropad-t430.jpg
+---
+
+<div class="alert alert-danger" role="alert">
+  <i class="fa fa-exclamation-triangle"></i>
+  <b>Warning:</b> The CPU in this computer no longer receives microcode updates from Intel. Without microcode updates, Qubes OS cannot ensure that this computer is secure against CPU vulnerabilities. While this computer remains certified for Qubes OS Release 4, we recommend that prospective buyers consider a newer Qubes-certified computer instead.
+</div>
+
+<div class="alert alert-warning" role="alert">
+  <i class="fa fa-exclamation-circle"></i>
+  <b>Note:</b> Please be advised that the i7-3632QM option is <b>not</b> compatible with Qubes OS, as it does not support VT-d. The option specifically tested by the Qubes team is the i5-3320M.
+</div>
+
+The [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
+
+[![Photo of the NitroPad T430](/attachment/site/nitropad-t430.jpg)](https://shop.nitrokey.com/shop/product/nitropad-t430-119)
+
+Key features of the [NitroPad T430](https://shop.nitrokey.com/shop/product/nitropad-t430-119) include:
+
+- Tamper detection through measured boot with [coreboot](https://www.coreboot.org/), [Heads](https://github.com/osresearch/heads/), and Nitrokey USB hardware, including support for [Anti Evil Maid (AEM)](/doc/anti-evil-maid/)
+- Deactivated [Intel Management Engine](https://libreboot.org/faq.html#intelme)
+- User-replaceable cryptographic keys
+- Included Nitrokey USB key
+- Professional ThinkPad hardware based on the [ThinkPad T430](https://www.thinkwiki.org/wiki/Category:T430)
+- Security-conscious shipping to mitigate against third-party [interdiction](https://en.wikipedia.org/wiki/Interdiction)

user/hardware/certified-hardware/nitropad-v56.md

@@ -0,0 +1,82 @@
+---
+lang: en
+layout: doc
+permalink: /doc/certified-hardware/nitropad-v56/
+title: NitroPad V56
+image: /attachment/site/nitropad-v56.png
+---
+
+The [NitroPad V56](https://shop.nitrokey.com/shop/nitropad-v56-684) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
+
+[![Photo of the NitroPad V56](/attachment/site/nitropad-v56.png)](https://shop.nitrokey.com/shop/nitropad-v56-684)
+
+## Qubes-certified options
+
+The configuration options required for Qubes certification are detailed below.
+
+### Processor and graphics card
+
+- Certified: Intel Core Ultra 5 Processor 125H, Intel Arc iGPU with AI Boost
+- Certified: Intel Core Ultra 7 Processor 155H, Intel Arc iGPU with AI Boost
+- The Nvidia GPU options are not currently certified.
+
+### Memory (RAM) DDR5, 5600 MHz
+
+- Certified: All options 16 GB (2x8 GB) and higher
+
+
+### 1st Hard Disk SSD NVMe PCIe 4.0 x4
+
+- Certified: Any of the available options in this section
+
+### 2nd Hard Disk SSD NVMe PCIe 4.0 x4
+
+- Certified: Any of the available options in this section
+
+### Keyboard
+
+- Certified: Any of the available options in this section
+
+### Wireless interfaces
+
+- Certified: Wi-Fi 6E + Bluetooth 5.3, Intel AX-210/211 (non vPro) WLAN module 2.4 Gbps, 802.11ax
+- Certified: Wi-Fi 7 + Bluetooth 5.42, Intel BE200 (non vPro) WLAN module 5.8 Gbps, 802.11be
+- Certified: No wireless
+
+### Webcam and microphone
+
+- Certified: Any of the available options in this section
+
+### Type
+
+- Certified: Any of the available options in this section
+
+### Firmware
+
+- Certified: Dasharo TianoCore UEFI without Measured boot, without Nitrokey
+- The option "Dasharo HEADS with Measured Boot, requires Nitrokey!" is not yet certified.
+
+### Operating system
+
+- Certified: Qubes OS 4.2.3 or newer (within Release 4).
+- Releases older than 4.2.3 are not certified.
+- You may choose either to have Nitrokey preinstall Qubes OS for you, or you may choose to install Qubes OS yourself. This choice does not affect certification.
+
+### Nitrokey
+
+- Certified: None -- for TianoCore only!
+- The Nitrokey options are currently not applicable to Qubes hardware certification. (See the Firmware section above.)
+
+### Shipment of Nitrokey
+
+- This section does not affect Qubes hardware certification.
+
+### Tamper-evident packaging
+
+- This section does not affect Qubes hardware certification.
+
+## Disclaimers
+
+- In order for Wi-Fi to function properly, `sys-net` must currently be based on a Fedora template. The firmware package in Debian templates is currently too old for the certified Wi-Fi cards.
+- Currently requires `kernel-latest`: If you install Qubes OS yourself, you must select the `Install Qubes OS RX using kernel-latest` option on the GRUB menu when booting the installer. This non-default kernel option is currently required for the NitroPad V56 to function properly.
+- Due to a [known bug](https://github.com/Dasharo/dasharo-issues/issues/976), the bottom-right USB-C port is currently limited to USB 2.0 speeds.

user/hardware/certified-hardware/nitropad-x230.md

@@ -0,0 +1,25 @@
+---
+lang: en
+layout: doc
+permalink: /doc/certified-hardware/nitropad-x230/
+title: NitroPad X230
+image: /attachment/site/nitropad-x230.jpg
+---
+
+<div class="alert alert-danger" role="alert">
+  <i class="fa fa-exclamation-triangle"></i>
+  <b>Warning:</b> The CPU in this computer no longer receives microcode updates from Intel. Without microcode updates, Qubes OS cannot ensure that this computer is secure against CPU vulnerabilities. While this computer remains certified for Qubes OS Release 4, we recommend that prospective buyers consider a newer Qubes-certified computer instead.
+</div>
+
+The [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
+
+[![Photo of the NitroPad X230](/attachment/site/nitropad-x230.jpg)](https://shop.nitrokey.com/shop/product/nitropad-x230-67)
+
+The [NitroPad X230](https://shop.nitrokey.com/shop/product/nitropad-x230-67) offers users unprecedented control over the security of their hardware. Key features include:
+
+- Tamper detection through measured boot with [coreboot](https://www.coreboot.org/), [Heads](https://github.com/osresearch/heads/), and Nitrokey USB hardware, including support for [Anti Evil Maid (AEM)](/doc/anti-evil-maid/)
+- Deactivated [Intel Management Engine](https://libreboot.org/faq.html#intelme)
+- User-replaceable cryptographic keys
+- Included Nitrokey USB key
+- Professional ThinkPad hardware based on the [ThinkPad X230](https://www.thinkwiki.org/wiki/Category:X230)
+- Security-conscious shipping to mitigate against third-party [interdiction](https://en.wikipedia.org/wiki/Interdiction)

user/hardware/certified-hardware/nitropc-pro-2.md

@@ -0,0 +1,47 @@
+---
+lang: en
+layout: doc
+permalink: /doc/certified-hardware/nitropc-pro-2/
+title: NitroPC Pro 2
+image: /attachment/posts/nitropc-pro.jpg
+---
+
+<div class="alert alert-warning" role="alert">
+  <i class="fa fa-exclamation-circle"></i>
+  <b>Note:</b> When configuring your NitroPC Pro 2 on the Nitrokey website, there is an option for a discrete graphics card (e.g., Nvidia GeForce RTX 4070 or 4090) in addition to integrated graphics (e.g., Intel UHD 770, which is always included because it is physically built into the CPU). NitroPC Pro 2 configurations that include discrete graphics cards are <em>not</em> Qubes-certified. The only NitroPC Pro 2 configurations that are Qubes-certified are those that contain <em>only</em> integrated graphics.
+</div>
+
+<div class="alert alert-warning" role="alert">
+  <i class="fa fa-exclamation-circle"></i>
+  <b>Note:</b> Only the "Dasharo TianoCore UEFI without Measured Boot, without Nitrokey" firmware option is certified. The "HEADS with Measured Boot, requires Nitrokey!" firmware option is <em>not</em> certified.
+</div>
+
+The [NitroPC Pro 2](https://shop.nitrokey.com/shop/nitropc-pro-2-523) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
+
+[![Photo of NitroPC Pro 2](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/nitropc-pro-2-523)
+
+Here's a summary of the main component options available for this mid-tower desktop PC:
+
+| Component                    | Options                                                  |
+|----------------------------- | -------------------------------------------------------- |
+| Motherboard                  | MSI PRO Z790-P DDR5 (Wi-Fi optional)                     |
+| Processor                    | 14th Generation Intel Core i5-14600K or i9-14900K        |
+| Memory                       | 16 GB to 128 GB DDR5                                     |
+| NVMe storage (optional)      | Up to two NVMe PCIe 4.0 x4 SSDs, up to 2 TB each         |
+| SATA storage (optional)      | Up to two SATA SSDs, up to 7.68 TB each                  |
+| Wireless (optional)          | Wi-Fi 6E, 2400 Mbps, 802.11/a/b/g/n/ac/ax, Bluetooth 5.2 |
+| Operating system (optional)  | Qubes OS 4.2 or Ubuntu 22.04 LTS                         |
+
+Of special note for Qubes users, the NitroPC Pro 2 features a combined PS/2 port that supports both a PS/2 keyboard and a PS/2 mouse simultaneously with a Y-cable (not included). This allows for full control of dom0 without the need for USB keyboard or mouse passthrough. Nitrokey also offers a special tamper-evident shipping method for an additional fee. With this option, the case screws will be individually sealed and photographed, and the NitroPC Pro 2 will be packed inside a sealed bag. Photographs of the seals will be sent to you by email, which you can use to determine whether the case was opened during transit.
+
+The NitroPC Pro 2 also comes with a "Dasharo Entry Subscription," which includes the following:
+
+- Accesses to the latest firmware releases
+- Exclusive newsletter
+- Special updates, including early access to updates enhancing privacy, security, performance, and compatibility
+- Early access to new firmware releases for [newly-supported desktop platforms](https://docs.dasharo.com/variants/overview/#desktop) (please see the [roadmap](https://github.com/Dasharo/presentations/blob/main/dasharo_roadmap.md#dasharo-desktop-roadmap))
+- Access to the Dasharo Premier Support invite-only live chat channel on the Matrix network, allowing direct access to the Dasharo Team and fellow subscribers with personalized and priority assistance
+- Insider's view and influence on the Dasharo feature roadmap for a real impact on Dasharo development
+- [Dasharo Tools Suite Entry Subscription](https://docs.dasharo.com/osf-trivia-list/dts/#what-is-dasharo-tools-suite-supporters-entrance) keys
+
+For further product details, please see the official [NitroPC Pro 2](https://shop.nitrokey.com/shop/nitropc-pro-2-523) page.

user/hardware/certified-hardware/nitropc-pro.md

@@ -0,0 +1,47 @@
+---
+lang: en
+layout: doc
+permalink: /doc/certified-hardware/nitropc-pro/
+title: NitroPC Pro
+image: /attachment/posts/nitropc-pro.jpg
+---
+
+<div class="alert alert-warning" role="alert">
+  <i class="fa fa-exclamation-circle"></i>
+  <b>Note:</b> When configuring your NitroPC Pro 2 on the Nitrokey website, there is an option for a discrete graphics card (e.g., Nvidia GeForce RTX 4070 or 4090) in addition to integrated graphics (e.g., Intel UHD 770, which is always included because it is physically built into the CPU). NitroPC Pro 2 configurations that include discrete graphics cards are <em>not</em> Qubes-certified. The only NitroPC Pro 2 configurations that are Qubes-certified are those that contain <em>only</em> integrated graphics.
+</div>
+
+<div class="alert alert-warning" role="alert">
+  <i class="fa fa-exclamation-circle"></i>
+  <b>Note:</b> Only the "Dasharo TianoCore UEFI without Measured Boot, without Nitrokey" firmware option is certified. The "HEADS with Measured Boot, requires Nitrokey!" firmware option is <em>not</em> certified.
+</div>
+
+The [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
+
+[![Photo of NitroPC Pro](/attachment/posts/nitropc-pro.jpg)](https://shop.nitrokey.com/shop/product/nitropc-pro-523)
+
+Here's a summary of the main component options available for this mid-tower desktop PC:
+
+| Component                    | Options                                                  |
+|----------------------------- | -------------------------------------------------------- |
+| Motherboard                  | MSI PRO Z690-A DDR5 (Wi-Fi optional)                     |
+| Processor                    | 12th Generation Intel Core i5-12600K or i9-12900K        |
+| Memory                       | 16 GB to 128 GB DDR5                                     |
+| NVMe storage (optional)      | Up to two NVMe PCIe 4.0 x4 SSDs, up to 2 TB each         |
+| SATA storage (optional)      | Up to two SATA SSDs, up to 7.68 TB each                  |
+| Wireless (optional)          | Wi-Fi 6E, 2400 Mbps, 802.11/a/b/g/n/ac/ax, Bluetooth 5.2 |
+| Operating system (optional)  | Qubes OS 4.1 or Ubuntu 22.04 LTS                         |
+
+Of special note for Qubes users, the NitroPC Pro features a combined PS/2 port that supports both a PS/2 keyboard and a PS/2 mouse simultaneously with a Y-cable (not included). This allows for full control of dom0 without the need for USB keyboard or mouse passthrough. Nitrokey also offers a special tamper-evident shipping method for an additional fee. With this option, the case screws will be individually sealed and photographed, and the NitroPC Pro will be packed inside a sealed bag. Photographs of the seals will be sent to you by email, which you can use to determine whether the case was opened during transit.
+
+The NitroPC Pro also comes with a "Dasharo Entry Subscription," which includes the following:
+
+- Accesses to the latest firmware releases
+- Exclusive newsletter
+- Special firmware updates, including early access to updates enhancing privacy, security, performance, and compatibility
+- Early access to new firmware releases for [newly-supported desktop platforms](https://docs.dasharo.com/variants/overview/#desktop) (please see the [roadmap](https://github.com/Dasharo/presentations/blob/main/dug2_dasharo_roadmap.md#dasharo-desktop-roadmap))
+- Access to the Dasharo Premier Support invite-only live chat channel on the Matrix network, allowing direct access to the Dasharo Team and fellow subscribers with personalized and priority assistance
+- Insider's view and influence on the Dasharo feature roadmap for a real impact on Dasharo development
+- [Dasharo Tools Suite Entry Subscription](https://docs.dasharo.com/osf-trivia-list/dts/#what-is-dasharo-tools-suite-supporters-entrance) keys
+
+For further product details, please see the official [NitroPC Pro](https://shop.nitrokey.com/shop/product/nitropc-pro-523) page.

user/hardware/certified-hardware/novacustom-nv41-series.md

@@ -0,0 +1,42 @@
+---
+lang: en
+layout: doc
+permalink: /doc/certified-hardware/novacustom-nv41-series/
+title: NovaCustom NV41 Series
+image: /attachment/site/novacustom-nv41-series.png
+---
+
+The [NovaCustom NV41 Series](https://novacustom.com/product/nv41-series/) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
+
+[![Photo of the NovaCustom NV41 Series](/attachment/site/novacustom-nv41-series.png)](https://novacustom.com/product/nv41-series/)
+
+## Qubes-certified configurations
+
+The following configuration options are certified for Qubes OS Release 4:
+
+Processor:
+- Intel Core i5-1240P processor
+- Intel Core i7-1260P processor
+
+Memory:
+- 2 x 16 GB Kingston DDR4 SODIMM 3200 MHz (32 GB total)
+- 1 x 32 GB Kingston DDR4 SODIMM 3200 MHz (32 GB total)
+- 2 x 32 GB Kingston DDR4 SODIMM 3200 MHz (64 GB total)
+
+M.2 storage chip:
+- Samsung 980 SSD (all capacities)
+- Samsung 980 Pro SSD (all capacities)
+
+Wi-Fi and Bluetooth:
+- Intel AX-200/201 Wi-Fi module 2976 Mbps, 802.11ax/Wi-Fi 6 + Bluetooth 5.2
+- Killer (Intel) Wireless-AX 1675x M.2 Wi-Fi module 802.11ax/Wi-Fi 6E + Bluetooth 5.3
+- Blob-free: Qualcomm Atheros QCNFA222 Wi-Fi 802.11a/b/g/n + Bluetooth 4.0
+- No Wi-Fi/Bluetooth chip
+
+### Notes on Wi-Fi and Bluetooth options
+
+- When viewed in a Linux environment with `lspci`, the "Killer (Intel) Wireless-AX 1675x M.2 Wi-Fi module 802.11ax/Wi-Fi 6E + Bluetooth 5.3" device displays the model number "AX210." However, according to its [Intel Ark entry](https://ark.intel.com/content/www/us/en/ark/products/211485/intel-killer-wifi-6e-ax1675-xw.html) (in the "Product Brief" file), they are actually the same Wi-Fi module.
+
+- Similarly, when viewed in a Linux environment with `lspci`, the "Blob-free: Qualcomm Atheros QCNFA222 Wi-Fi 802.11a/b/g/n + Bluetooth 4.0" device displays the model number "AR9462," which seems to be just the Wi-Fi chip model number, whereas "QCNFA222" seems to be the model number of the whole device (which include Bluetooth). Meanwhile, the Bluetooth device presents itself as "IMC Networks Device 3487."
+
+- The term "blob-free" is used in different ways. In practice, being "blob-free" generally does *not* mean that the device does not use any closed-source firmware "blobs." Rather, it means that the device comes with firmware *preinstalled* so that it does not have to be loaded from the operating system. In theory, the preinstalled firmware could be open-source, but as far as we know, that is not the case with this particular Atheros Wi-Fi/Bluetooth module. (Qualcomm has published firmware source code in the past, but only for other device models, as far as we are aware.) Meanwhile, the Free Software Foundation (FSF) [considers](https://www.gnu.org/philosophy/free-hardware-designs.en.html#boundary) unmodifiable preinstalled firmware to be part of the hardware, hence they regard such hardware as "blob-free" from a software perspective. While common usage of the term "blob-free" often follows the FSF's interpretation, it is worthwhile for Qubes users who are concerned about closed-source firmware to understand the nuance.

user/hardware/certified-hardware/novacustom-v54-series.md

@@ -0,0 +1,69 @@
+---
+lang: en
+layout: doc
+permalink: /doc/certified-hardware/novacustom-v54-series/
+title: NovaCustom V54 Series
+image: /attachment/site/novacustom-v54-series.png
+---
+
+The [NovaCustom V54 Series 14.0 inch coreboot laptop](https://novacustom.com/product/v54-series/) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
+
+[![Photo of the NovaCustom V54 Series 14.0 inch coreboot laptop](/attachment/site/novacustom-v54-series.png)](https://novacustom.com/product/v54-series/)
+
+## Qubes-certified options
+
+The configuration options required for Qubes certification are detailed below.
+
+### Screen size
+
+- Certified: 14 inch
+
+**Note:** The 14-inch model (V540TU) and the 16-inch model (V560TU) are two separate products. [The 16-inch model is also certified.](/doc/certified-hardware/novacustom-v56-series/)
+
+### Screen resolution
+
+- Certified: Full HD+ (1920 x 1200)
+- Certified: 2.8K (2880 x 1800)
+
+### Processor and graphics
+
+- Certified: Intel Core Ultra 5 Processor 125H, Intel Arc iGPU with AI Boost
+- Certified: Intel Core Ultra 7 Processor 155H, Intel Arc iGPU with AI Boost
+- The Nvidia discrete GPU options are not currently certified.
+
+### Memory
+
+- Certified: Any configuration with at least 16 GB of memory
+
+### Storage
+
+- Certified: All of the available options in these sections
+
+### Personalization
+
+- This section is merely cosmetic and therefore does not affect certification.
+
+### Firmware options
+
+- Qubes OS does not currently support UEFI secure boot.
+- The option to be kept up to date with firmware updates is merely an email notification service and therefore does not affect certification.
+- The coreboot+Heads option is not currently certified. This option is a separate firmware variant. As such, it requires a separate certification process, which we expect to occur in the future.
+- Disabling Intel Management Engine (HAP disabling) does not affect certification.
+
+### Operating system
+
+- Certified: Qubes OS 4.2.4 or newer (within Release 4).
+- Releases older than 4.2.4 are not certified.
+- You may choose either to have NovaCustom preinstall Qubes OS for you, or you may choose to install Qubes OS yourself. This choice does not affect certification.
+
+### Wi-Fi and Bluetooth
+
+- Certified: Intel AX-210/211 (non vPro) Wi-Fi module 2.4 Gbps, 802.11AX/Wi-Fi6E + Bluetooth 5.3
+- Certified: Intel BE200 (non vPro) Wi-Fi module 5.8 Gbps, 802.11BE/Wi-Fi7 + Bluetooth 5.42
+- Certified: No Wi-Fi chip -- no Bluetooth and Wi-Fi connection possible (only with USB adapter)
+
+## Disclaimers
+
+- In order for Wi-Fi to function properly, `sys-net` must currently be based on a Fedora template. The firmware package in Debian templates is currently too old for the certified Wi-Fi cards.
+- Currently requires `kernel-latest`: If you install Qubes OS yourself, you must select the `Install Qubes OS RX using kernel-latest` option on the GRUB menu when booting the installer. This non-default kernel option is currently required for the NovaCustom V54 Series to function properly.
+- Due to a [known bug](https://github.com/Dasharo/dasharo-issues/issues/976), the bottom-right USB-C port is currently limited to USB 2.0 speeds.

user/hardware/certified-hardware/novacustom-v56-series.md

@@ -0,0 +1,69 @@
+---
+lang: en
+layout: doc
+permalink: /doc/certified-hardware/novacustom-v56-series/
+title: NovaCustom V56 Series
+image: /attachment/site/novacustom-v56-series.png
+---
+
+The [NovaCustom V56 Series 16.0 inch coreboot laptop](https://novacustom.com/product/v56-series/) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
+
+[![Photo of the NovaCustom V56 Series 16.0 inch coreboot laptop](/attachment/site/novacustom-v56-series.png)](https://novacustom.com/product/v56-series/)
+
+## Qubes-certified options
+
+The configuration options required for Qubes certification are detailed below.
+
+### Screen size
+
+- Certified: 16 inch
+
+**Note:** The 16-inch model (V560TU) and the 14-inch model (V540TU) are two separate products. [The 14-inch model is also certified.](/doc/certified-hardware/novacustom-v54-series/)
+
+### Screen resolution
+
+- Certified: Full HD+ (1920 x 1200)
+- Certified: Q-HD+ (2560 x 1600)
+
+### Processor and graphics
+
+- Certified: Intel Core Ultra 5 Processor 125H + Intel Arc iGPU with AI Boost
+- Certified: Intel Core Ultra 7 Processor 155H + Intel Arc iGPU with AI Boost
+- The Nvidia discrete GPU options are not currently certified.
+
+### Memory
+
+- Certified: Any configuration with at least 16 GB of memory
+
+### Storage
+
+- Certified: Any of the available options in this section
+
+### Personalization
+
+- This section is merely cosmetic and therefore does not affect certification.
+
+### Firmware options
+
+- Qubes OS does not currently support UEFI secure boot.
+- Keeping up-to-date with firmware updates is merely an email notification service and therefore does not affect certification.
+- The coreboot+Heads option is not currently certified. This option is a separate firmware variant. As such, it requires a separate certification process, which we expect to occur in the future.
+- Disabling Intel Management Engine (HAP disabling) does not affect certification.
+
+### Operating system
+
+- Certified: Qubes OS 4.2.3 or newer (within Release 4).
+- Releases older than 4.2.3 are not certified.
+- You may choose either to have NovaCustom preinstall Qubes OS for you, or you may choose to install Qubes OS yourself. This choice does not affect certification.
+
+### Wi-Fi and Bluetooth
+
+- Certified: Intel AX-210/211 (non vPro) Wi-Fi module 2.4 Gbps, 802.11AX/Wi-Fi6E + Bluetooth 5.3
+- Certified: Intel BE200 (non vPro) Wi-Fi module 5.8 Gbps, 802.11BE/Wi-Fi7 + Bluetooth 5.42
+- Certified: No Wi-Fi chip - no Bluetooth and Wi-Fi connection possible (only with USB adapter)
+
+## Disclaimers
+
+- In order for Wi-Fi to function properly, `sys-net` must currently be based on a Fedora template. The firmware package in Debian templates is currently too old for the certified Wi-Fi cards.
+- Currently requires `kernel-latest`: If you install Qubes OS yourself, you must select the `Install Qubes OS RX using kernel-latest` option on the GRUB menu when booting the installer. This non-default kernel option is currently required for the NovaCustom V56 Series to function properly.
+- Due to a [known bug](https://github.com/Dasharo/dasharo-issues/issues/976), the bottom-right USB-C port is currently limited to USB 2.0 speeds.

user/hardware/certified-hardware/starlabs-starbook.md

@@ -0,0 +1,35 @@
+---
+lang: en
+layout: doc
+permalink: /doc/certified-hardware/starlabs-starbook/
+title: Star Labs StarBook
+image: /attachment/site/starlabs-starbook.png
+---
+
+The [Star Labs StarBook](https://starlabs.systems/pages/starbook) is [officially certified](/doc/certified-hardware/) for Qubes OS Release 4.
+
+The [Star Labs StarBook](https://starlabs.systems/pages/starbook) is a 14-inch laptop featuring open-source coreboot and EDK II firmware. 
+
+[![Photo of Star Labs StarBook](/attachment/site/starlabs-starbook.png)](https://starlabs.systems/pages/starbook)
+
+The Qubes developers have tested and certified the following StarBook configuration options for Qubes OS Release 4:
+
+| Component        | Qubes-certified options                          |
+| ---------------- | ------------------------------------------------ |
+| Processor        | 13th Generation Intel Core i3-1315U or i7-1360P  |
+| Memory           | 8 GB, 16 GB, 32 GB, or 64 GB RAM                 |
+| Storage          | 512 GB, 1 TB, or 2 TB SSD                        |
+| Graphics         | Intel (integrated graphics)                      |
+| Networking       | Intel Wi-Fi 6 AX210 (no built-in wired Ethernet) |
+| Firmware         | coreboot 8.97 (2023-10-03)                       |
+| Operating system | Qubes OS (pre-installation optional)             |
+
+[![Photo of Star Labs StarBook](/attachment/posts/starlabs-starbook_top.png)](https://starlabs.systems/pages/starbook)
+
+The StarBook features a true matte 14-inch IPS display at 1920x1080 full HD resolution with 400cd/m² of brightness, 178° viewing angles, and a 180° hinge. The backlit keyboard is available in US English, UK English, French, German, Nordic, and Spanish layouts.
+
+[![Photo of Star Labs StarBook](/attachment/posts/starlabs-starbook_side.png)](https://starlabs.systems/pages/starbook)
+
+The StarBook includes four USB ports (1x USB-C with Thunderbolt 4, 2x USB 3.0, and 1x USB 2.0), one HDMI port, a microSD slot, an audio input/output combo jack, and a DC jack for charging. For more information, see the official [Star Labs StarBook](https://starlabs.systems/pages/starbook) page.
+
+[![Photo of Star Labs StarBook](/attachment/posts/starlabs-starbook_back.png)](https://starlabs.systems/pages/starbook)

user/how-to-guides/backup-emergency-restore-v4.md

@@ -12,13 +12,17 @@ title: Emergency backup recovery (v4)
 This page describes how to perform an emergency restore of a backup created on
 Qubes R4.X (which uses backup format version 4).
 
-The Qubes backup system has been designed with emergency disaster recovery in
-mind. No special Qubes-specific tools are required to access data backed up by
-Qubes. In the event a Qubes system is unavailable, you can access your data on
-any GNU/Linux system with the following procedure.
+The Qubes backup system is designed with emergency disaster recovery in mind. No
+special Qubes-specific tools are required to access data backed up by Qubes. In
+the event a Qubes system is unavailable, you can access your data on any
+GNU/Linux system by following the instructions on this page.
 
-Required `scrypt` Utility
--------------------------
+**Important:** You may wish to store a copy of these instructions with your
+Qubes backups. All Qubes documentation, including this page, is available in
+plain text format in the [qubes-doc](https://github.com/QubesOS/qubes-doc) Git
+repository.
+
+## Required `scrypt` utility
 
 In Qubes 4.X, backups are encrypted and integrity-protected with
 [scrypt](https://www.tarsnap.com/scrypt.html). You will need a copy of this
@@ -34,8 +38,8 @@ easier scripting, which means you'll need to enter the passphrase for each file
 separately, instead of using `echo ... | scrypt`.
 
 Here are instructions for obtaining a compiled `scrypt` binary. This example
-uses an RPM-based system (Fedora), but the same general procedure should work
-on any GNU/Linux system.
+uses an RPM-based system (Fedora), but the same general procedure should work on
+any GNU/Linux system.
 
  1. If you're not on Qubes 4.X, [import and authenticate the Release 4 Signing
     Key](/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys).
@@ -46,7 +50,7 @@ on any GNU/Linux system.
 
         [user@restore ~]$ dnf download scrypt
 
-    or, if that doesn't work:
+    Or, if that doesn't work:
 
         [user@restore ~]$ curl -O https://yum.qubes-os.org/r4.0/current/vm/fc28/rpm/scrypt-1.2.1-1.fc28.x86_64.rpm
 
@@ -62,60 +66,35 @@ on any GNU/Linux system.
 
         [user@restore ~]$ sudo dnf install rpmdevtools
 
- 5. Extract the `scrypt` binary from the RPM.
+ 5. Extract the `scrypt` binary from the RPM and make it conveniently
+    available.
 
         [user@restore ~]$ rpmdev-extract scrypt-*.rpm
+        [user@restore ~]$ alias scrypt="$PWD/scrypt-*/usr/bin/scrypt"
 
- 6. (Optional) Create an alias for the new binary.
-
-        [user@restore ~]$ alias scrypt="scrypt-*/usr/bin/scrypt"
-
-Emergency Recovery Instructions
--------------------------------
+## Emergency recovery instructions
 
 **Note:** In the following example, the backup file is both *encrypted* and
 *compressed*.
 
- 1. Untar the main backup file.
+ 1. Untar the backup metadata from the main backup file.
 
-        [user@restore ~]$ tar -i -xvf qubes-backup-2015-06-05T123456
+        [user@restore ~]$ tar -i -xvf qubes-backup-2023-04-05T123456 \
+            backup-header backup-header.hmac qubes.xml.000.enc
         backup-header
         backup-header.hmac
         qubes.xml.000.enc
-        vm1/private.img.000.enc
-        vm1/private.img.001.enc
-        vm1/private.img.002.enc
-        vm1/icon.png.000.enc
-        vm1/firewall.xml.000.enc
-        vm1/whitelisted-appmenus.list.000.enc
-        dom0-home/dom0user.000.enc
-
-    **To extract only specific VMs:** Each VM in the backup file has its path
-    listed in `qubes.xml.000.enc`. Decrypt it. (In this example, the password is
-    `password`.)
-
-        [user@restore ~]$ cat backup-header | grep backup-id
-        backup-id=20190128T123456-1234
-        [user@restore ~]$ scrypt dec -P qubes.xml.000.enc qubes.xml.000
-        Please enter passphrase: 20190128T123456-1234!qubes.xml.000!password
-        [user@restore ~]$ tar -i -xvf qubes.xml.000
-
-    Now that you have the decrypted `qubes.xml.000` file, search for the
-    `backup-path` property inside of it. With the `backup-path`, extract only
-    the files necessary for your VM (`vmX`).
-
-        [user@restore ~]$ tar -i -xvf qubes-backup-2015-06-05T123456 \
-            backup-header backup-header.hmac vmX/
 
  2. Set the backup passphrase environment variable. While this isn't strictly
-    required, it will be handy later and will avoid saving the passphrase in
-    the shell's history.
+    required, it will be handy later and will avoid saving the passphrase in the
+    shell's history.
 
         [user@restore ~]$ read -r backup_pass
 
- 3. Verify the integrity of `backup-header`. For compatibility reasons,
-    `backup-header.hmac` is an encrypted *and integrity protected*
-    version of `backup-header`.
+    Type in your passphrase (it will be visible on screen!) and press Enter.
+
+ 3. Verify the integrity of `backup-header` using `backup-header.hmac` (an
+    encrypted *and integrity protected* version of `backup-header`).
 
         [user@restore ~]$ set +H
         [user@restore ~]$ echo "backup-header!$backup_pass" |\
@@ -123,34 +102,34 @@ Emergency Recovery Instructions
             diff -qs backup-header backup-header.verified
         Files backup-header and backup-header.verified are identical
 
-    **Note:** If this command fails, it may be that the backup was tampered
-    with or is in a different format. In the latter case, look inside
-    `backup-header` at the `version` field. If it contains a value other than
-    `version=4`, go to the instructions for that format version:
+    **Note:** If this command fails, it may be that the backup was tampered with
+    or is in a different format. In the latter case, look inside `backup-header`
+    at the `version` field. If it contains a value other than `version=4`, go to
+    the instructions for that format version:
     - [Emergency Backup Recovery without Qubes (v2)](/doc/backup-emergency-restore-v2/)
     - [Emergency Backup Recovery without Qubes (v3)](/doc/backup-emergency-restore-v3/)
 
- 4. Read `backup-header`:
+ 4. Read `backup-header`.
 
         [user@restore ~]$ cat backup-header
         version=4
         encrypted=True
         compressed=True
         compression-filter=gzip
-        backup_id=20161020T123455-1234
+        hmac-algorithm=scrypt
+        backup-id=20230405T123455-1234
 
- 5. Set `backup_id` to the value in the last line of `backup-header`:
+ 5. Set `backup_id` to the value in the last line of `backup-header`. (Note that
+    there is a hyphen in `backup-id` in the file, whereas there is an underscore
+    in `backup_id` in the variable you're setting.)
 
-        [user@restore ~]$ backup_id=20161020T123455-1234
+        [user@restore ~]$ backup_id=20230405T123455-1234
 
- 6. Verify the integrity of your data, decrypt, decompress, and extract
-    `private.img`:
+ 6. Verify and decrypt, decompress, and extract the `qubes.xml` file.
 
-        [user@restore ~]$ find vm1 -name 'private.img.*.enc' | sort -V | while read f_enc; do \
-            f_dec=${f_enc%.enc}; \
-            echo "$backup_id!$f_dec!$backup_pass" | scrypt dec -P $f_enc || break; \
-            done | gzip -d | tar -xv
-        vm1/private.img
+        [user@restore ~]$ echo "$backup_id!qubes.xml.000!$backup_pass" |\
+            scrypt dec -P qubes.xml.000.enc | gzip -d | tar -xv
+        qubes.xml
 
     If this pipeline fails, it is likely that the backup is corrupted or has
     been tampered with.
@@ -158,23 +137,66 @@ Emergency Recovery Instructions
     **Note:** If your backup was compressed with a program other than `gzip`,
     you must substitute the correct compression program in the command above.
     This information is contained in `backup-header` (see step 4). For example,
-    if your backup is compressed with `bzip2`, use `bzip2 -d` instead in the
-    command above.
+    if your backup is compressed with `bzip2`, use `bzip2 -d` instead of `gzip
+    -d` in the command above. You might need to install a package of the same
+    name (in this example, `bzip2`) through your distribution's package manager.
 
- 7. Mount `private.img` and access your data.
+ 7. Search inside of the `qubes.xml` file for the `backup-path` of the qube
+    whose data you wish to restore. If you install the `xmlstarlet` package, the
+    following command will convert `qubes.xml` to a friendlier listing for this
+    purpose:
 
-        [user@restore vm1]$ sudo mkdir /mnt/img
-        [user@restore vm1]$ sudo mount -o loop vm1/private.img /mnt/img/
-        [user@restore vm1]$ cat /mnt/img/home/user/your_data.txt
-        This data has been successfully recovered!
+        [user@restore ~]$ xmlstarlet sel -T -t -m //domain \
+            -v 'concat(.//property[@name="name"], " ", .//feature[@name="backup-path"])' \
+            -n qubes.xml
+        
+        anon-whonix
+        debian-11
+        default-mgmt-dvm
+        disp2345
+        fedora-37
+        fedora-37-dvm
+        personal vm123/
+        sys-firewall
+        sys-net
+        sys-usb
+        sys-whonix
+        untrusted
+        vault vm321/
+        whonix-gw-16
+        whonix-ws-16
+        whonix-ws-16-dvm
+        work
 
- 8. Success! If you wish to recover data from more than one VM in your backup,
-    simply repeat steps 6 and 7 for each additional VM.
+    The example output above shows that the backup file includes a qube named
+    `personal` and a qube named `vault`, with `backup-path` values of `vm123/`
+    and `vm321/` respectively. (Every other listed qube was not selected to be
+    included in the backup file.) Use the corresponding value to untar the
+    necessary data files of the qube:
 
-    **Note:** You may wish to store a copy of these instructions with your
-    Qubes backups in the event that you fail to recall the above procedure
-    while this web page is inaccessible. All Qubes documentation, including
-    this page, is available in plain text format in the following Git
-    repository:
+        [user@restore ~]$ tar -i -xvf qubes-backup-2023-04-05T123456 vm123/
 
-        https://github.com/QubesOS/qubes-doc.git
+ 8. Verify and decrypt the backed up data, decompress it, and extract it.
+
+        [user@restore ~]$ find vm123/ -name 'private.img.*.enc' | sort -V | while read f_enc; do \
+            f_dec=${f_enc%.enc}; \
+            echo "$backup_id!$f_dec!$backup_pass" | scrypt dec -P $f_enc || break; \
+            done | gzip -d | tar -xv
+        vm123/private.img
+
+    If this pipeline fails, it is likely that the backup is corrupted or has
+    been tampered with.
+
+    Also see the note in step 6 about substituting a different compression
+    program for `gzip`.
+
+ 9. Mount `private.img` and access your data.
+
+        [user@restore ~]$ sudo mkdir /mnt/img
+        [user@restore ~]$ sudo mount -o loop vm123/private.img /mnt/img/
+        [user@restore ~]$ ls /mnt/img/home/user/
+        example_data_file.txt
+        ...
+
+Success! If you wish to recover data from more than one qube in your backup,
+simply repeat steps 7, 8, and 9 for each additional qube.

user/how-to-guides/how-to-back-up-restore-and-migrate.md

@@ -160,6 +160,12 @@ out.
 6. When you are ready, click **Next**. Qubes will proceed to restore from your
 backup. Once the progress bar has completed, you may click **Finish**.
 
+In case that applications are not shown, i.e. "No applications found", open the
+settings of the qube -> select `Applications` -> click `Refresh applications`.
+
+When a restored application qube refreshes, the application lists will open the template qubes on which it is based. In that case the template qube should also be restored, if it is missing the default qube will be assigned.
+The updated list of the installed software can be seen on the left and adjusted accordingly to the user's needs.
+
 **Note:** When restoring from a dom0 backup, a new directory will be created in
 the current dom0 home directory, and the contents from the backup will be
 placed inside this new directory. This is intentional, as it allows users to

user/how-to-guides/how-to-organize-your-qubes.md

@@ -89,7 +89,7 @@ the other. Alice's setup looks like this:
   [bind-dirs](/doc/bind-dirs/) to make those changes persistent, but sometimes
   she doesn't want to get bogged down doing with all that and figures it
   wouldn't be worth it just for this one qube. She's secretly glad that Qubes
-  OS doesn't judge her this and just gives her the freedom to do things however
+  OS doesn't judge her for this and just gives her the freedom to do things however
   she likes while keeping everything securely compartmentalized. At times like
   these, she takes comfort in knowing that things can be messy and disorganized
   *within* a qube while her overall digital life remains well-organized.

user/security-in-qubes/firewall.md

@@ -40,8 +40,8 @@ If the qube is running, you can open Settings from the Qube Popup Menu.
 ICMP and DNS are not accessible in the GUI, but can be changed via `qvm-firewall` described below.
 Connections to Updates Proxy are not made over a network so can not be allowed or blocked with firewall rules, but are controlled using the relevant policy file (see [R4.x Updates proxy](/doc/software-update-vm/) for more detail).
 
-Note that if you specify a rule by DNS name it will be resolved to IP(s) *at the moment of applying the rules*, and not on the fly for each new connection.
-This means it will not work for servers using load balancing, and traffic to complex web sites which draw from many servers will be difficult to control.
+Note that if you specify a rule by DNS name it will be resolved to IP(s) *at the moment the rules take effect* (including each time the qube or netvm starts), and not on the fly for each new connection.
+This means it will not work reliably for servers that have different IPs at different times as a result of DNS-based load balancing.
 
 Instead of using the firewall GUI, you can use the `qvm-firewall` command in Dom0 to edit the firewall rules by hand.
 This gives you greater control than by using the GUI.
@@ -269,7 +269,8 @@ As an example we can take the use case of qube QubeDest running a web server lis
 
 **1. Identify the IP addresses you will need to use for sys-net, sys-firewall and the destination qube.**
 
-You can get this information using various methods, but only the first one can be used for `sys-net` outside world IP:
+You can get this information using various methods.
+Only the first method can be used for `sys-net` to find the external IP:
 
 - by running this command in each qube: `ip -4 -br a | grep UP`
 - using `qvm-ls -n`
@@ -284,7 +285,12 @@ Note the IP addresses you will need, they will be required in the next steps.
 
 For the following example, we assume that the physical interface ens6 in sys-net is on the local network 192.168.x.y with the IP 192.168.x.n, and that the IP address of sys-firewall is 10.137.1.z.
 
-In the sys-net VM's Terminal, the first step is to define an ntables chain that will receive DNAT rules to relay the network traffic on a given port to the qube NetVM, we recommend to define a new chain for each destination qube to ease rules management:
+When writing rules in sys-net, you can use `iif` or `iifname`.
+`iif` is faster, but can change where interfaces are dynamically created and destroyed, eg. ppp0.
+In that case use `iifname`, like this `iifname ens6`.
+`iifname` can also match wildcards - `iifname "eth*"`
+
+In the sys-net VM's Terminal, the first step is to define an nftables chain that will receive DNAT rules to relay the network traffic on a given port to the qube NetVM, we recommend to define a new chain for each destination qube to ease rules management:
 
 ```
 nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
@@ -292,25 +298,24 @@ nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority fi
 
 > Note: the name `custom-dnat-qubeDST` is arbitrary
 
-> Note: while we use a DNAT chain for a single qube, it's totally possible to have a single DNAT chain for multiple qubes
+> Note: while we use a DNAT chain for a single qube, it's possible to have a single DNAT chain for multiple qubes
 
 Second step, code a natting firewall rule to route traffic on the outside interface for the service to the sys-firewall VM
 
 ```
-nft add rule qubes custom-dnat-qubeDEST iif == "ens6" ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.1.z
+nft add rule qubes custom-dnat-qubeDEST iifname ens6 ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.1.z
 ```
 
 Third step, code the appropriate new filtering firewall rule to allow new connections for the service
 
 ```
-nft add rule qubes custom-forward iif == "ens6" ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter accept
+nft add rule qubes custom-forward iifname ens6 ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter accept
 ```
 
 > Note: If you do not wish to limit the IP addresses connecting to the service, remove `ip saddr 192.168.x.y/24` from the rules
+> If you want to expose the service on multiple interfaces, repeat steps 2 and 3 above, for each interface. Alternatively, you can leave out the interface completely.
 
-> If you want to expose the service on multiple interfaces, repeat the steps 2 and 3 described above, for each interface. Alternatively, you can leave out the interface completely.
-
-Verify the rules on sys-net firewall correctly match the packets you want by looking at its counters, check for the counter lines in the chains `custom-forward` and `custom-dnat-qubeDEST`:
+Verify the rules on the sys-net firewall correctly match the packets you want by looking at the counters: check for the counter lines in the chains `custom-forward` and `custom-dnat-qubeDEST`:
 
 ```
 nft list table ip qubes
@@ -320,12 +325,12 @@ In this example, we can see 7 packets in the forward rule, and 3 packets in the
 
 ```
 chain custom-forward {
-  iif "ens6" ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter packets 7 bytes 448 accept
+  iifname ens6 ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter packets 7 bytes 448 accept
 }
 
 chain custom-dnat-qubeDEST {
   type nat hook prerouting priority filter + 1; policy accept;
-  iif "ens6" ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter packets 3 bytes 192 dnat to 10.138.33.59
+  iifname ens6 ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter packets 3 bytes 192 dnat to 10.138.33.59
 }
 ```
 
@@ -351,18 +356,20 @@ Content of `/rw/config/qubes-firewall-user-script` in `sys-net`:
 if nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
 then
   # create the dnat rule
-  nft add rule qubes custom-dnat-qubeDEST iif == "ens6" saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.1.z
+  nft add rule qubes custom-dnat-qubeDEST iifname ens6 saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.1.z
 
   # allow forwarded traffic
-  nft add rule qubes custom-forward iif == "ens6" ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter accept
+  nft add rule qubes custom-forward iifname ens6 ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter accept
 fi
 ~~~
 
 **3. Route packets from the FirewallVM to the VM**
 
-For the following example, we use the fact that the physical interface of sys-firewall, facing sys-net, is eth0. Furthermore, we assume that the target VM running the web server has the IP address 10.137.0.xx and that the IP address of sys-firewall is 10.137.1.z.
+For the following example, we use the fact that the interface of sys-firewall facing sys-net, is eth0.
+This is allocated to iifgroup 1.
+Furthermore, we assume that the IP address of sys-firewall is 10.137.1.z, and the target VM running the web server has the IP address 10.137.0.xx.
 
-In the sys-firewall VM's Terminal, add a DNAT chain that will contain routing rules:
+In the sys-firewall Terminal, add a DNAT chain that will contain routing rules:
 
 ```
 nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
@@ -371,13 +378,13 @@ nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority fi
 Second step, code a natting firewall rule to route traffic on the outside interface for the service to the destination qube
 
 ```
-nft add rule qubes custom-dnat-qubeDEST iif == "eth0" ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.0.xx
+nft add rule qubes custom-dnat-qubeDEST iifgroup 1 ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.0.xx
 ```
 
 Third step, code the appropriate new filtering firewall rule to allow new connections for the service
 
 ```
-nft add rule qubes custom-forward iif == "eth0" ip saddr 192.168.x.y/24 ip daddr 10.137.0.xx tcp dport 443 ct state new,established,related counter accept
+nft add rule qubes custom-forward iifgroup 1 ip saddr 192.168.x.y/24 ip daddr 10.137.0.xx tcp dport 443 ct state new,established,related counter accept
 ```
 
 > Note: If you do not wish to limit the IP addresses connecting to the service, remove `ip saddr 192.168.x.y/24` from the rules
@@ -398,10 +405,10 @@ Content of `/rw/config/qubes-firewall-user-script` in `sys-firewall`:
 if nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
 then
   # create the dnat rule
-  nft add rule qubes custom-dnat-qubeDEST iif == "eth0" tcp dport 443 ct state new,established,related counter dnat 10.137.0.xx
+  nft add rule qubes custom-dnat-qubeDEST iifgroup 1 tcp dport 443 ct state new,established,related counter dnat 10.137.0.xx
 
   # allow forwarded traffic
-  nft add rule qubes custom-forward iif == "eth0" ip saddr 192.168.x.y/24 ip daddr 10.137.0.xx tcp dport 443 ct state new,established,related counter accept
+  nft add rule qubes custom-forward iifgroup 1 ip saddr 192.168.x.y/24 ip daddr 10.137.0.xx tcp dport 443 ct state new,established,related counter accept
 fi
 ~~~
 

user/templates/minimal-templates.md

@@ -55,7 +55,6 @@ Minimal templates of the following distros are available:
 
  - Fedora
  - Debian
- - CentOS
  - Gentoo
 
 A list of all available templates can also be obtained with the [Template Manager](/doc/template-manager/) tool.
@@ -305,75 +304,3 @@ Documentation on all of these can be found in the [docs](/doc/).
 You could, of course, use `qubes-vm-recommended` to automatically install many
 of these, but in that case you are well on the way to a standard Debian
 template.
-
-### CentOS
-
-The following list provides an overview of which packages are needed for which
-purpose. As usual, the required packages are to be installed in the running
-template with the following command (replace `packages` with a space-delimited
-list of packages to be installed):
-
-```
-[user@your-new-clone ~]$ sudo yum install packages
-```
-
-- Commonly used utilities: `pciutils` `vim-minimal` `less` `psmisc`
-  `gnome-keyring`
-- Audio: `pulseaudio-qubes`.
-- Networking: `qubes-core-agent-networking`, and whatever network tools
-  you want. N.B. minimal templates do not include any browser.
-- [FirewallVM](/doc/firewall/), such as the template for `sys-firewall`: at
-  least `qubes-core-agent-networking`, and also `qubes-core-agent-dom0-updates`
-  if you want to use it as the `UpdateVM` (which is normally `sys-firewall`).
-- NetVM, such as the template for `sys-net`: `qubes-core-agent-networking`
-  `qubes-core-agent-network-manager` `NetworkManager-wifi`
-  `network-manager-applet` `notification-daemon`
-  `gnome-keyring`. If your network devices need extra packages for a network
-  VM, use the `lspci` command to identify the devices, then find the package
-  that provides necessary firnware and install it. If you need utilities for
-  debugging and analyzing network connections, install the following packages:
-  `tcpdump` `telnet` `nmap` `nmap-ncat`
-- [USB qube](/doc/usb-qubes/), such as the template for `sys-usb`:
-  `qubes-usb-proxy` to provide USB devices to other Qubes and
-  `qubes-input-proxy-sender` to provide keyboard or mouse input to dom0.
-- [VPN
-  qube](https://forum.qubes-os.org/t/19061):
-  You may need to install network-manager VPN packages, depending on the VPN
-  technology you'll be using. After creating a machine based on this template,
-  follow the [VPN
-  howto](https://forum.qubes-os.org/t/19061#set-up-a-proxyvm-as-a-vpn-gateway-using-networkmanager)
-  to configure it.
-- `default-mgmt-dvm`: requires `qubes-core-agent-passwordless-root` and
-  `qubes-mgmt-salt-vm-connector`.
-
-In Qubes 4.0, additional packages from the `qubes-core-agent` suite may be
-needed to make the customized minimal template work properly. These packages
-are:
-
-- `qubes-core-agent-nautilus`: This package provides integration with the
-  Nautilus file manager (without it, items like "copy to VM/open in disposable"
-  will not be shown in Nautilus).
-- `qubes-core-agent-thunar`: This package provides integration with the thunar
-  file manager (without it, items like "copy to VM/open in disposable" will not
-  be shown in thunar).
-- `qubes-core-agent-dom0-updates`: Script required to handle `dom0` updates.
-  Any template on which the qube responsible for 'dom0' updates (e.g.
-  `sys-firewall`) is based must contain this package.
-- `qubes-menus`: Defines menu layout.
-- `qubes-desktop-linux-common`: Contains icons and scripts to improve desktop
-  experience.
-
-Also, there are packages to provide additional services:
-
-- `qubes-gpg-split`: For implementing split GPG.
-- `qubes-pdf-converter`: For implementing safe conversion of PDFs.
-- `qubes-img-converter`: For implementing safe conversion of images.
-- `qubes-snapd-helper`: If you want to use snaps in qubes.
-- `qubes-mgmt-salt-vm-connector`: If you want to use salt management on the
-  template and qubes.
-
-Documentation on all of these can be found in the [docs](/doc/).
-
-You could, of course, use `qubes-vm-recommended` to automatically install many
-of these, but in that case you are well on the way to a standard Debian
-template.

user/templates/templates.md

@@ -78,10 +78,15 @@ developers do not test them.
 * [Whonix](/doc/templates/whonix/)
 * [Ubuntu](/doc/templates/ubuntu/)
 * [Arch Linux](/doc/building-archlinux-template/)
-* [CentOS](/doc/templates/centos/)
-* [CentOS Minimal](/doc/templates/minimal/)
 * [Gentoo](/doc/templates/gentoo/)
 * [Gentoo Minimal](/doc/templates/minimal/)
+* [CentOS*](/doc/templates/centos)
+
+*\* The CentOS version used by this template reached 
+[End-of-Life in June 2024](https://en.wikipedia.org/wiki/CentOS_Stream#Release_history) 
+and is no longer receiving updates. Due to a lack of specific interest 
+at this time a proposal to create a new CentOS 10 template was 
+[declined](https://github.com/QubesOS/qubes-issues/issues/9716).*
 
 ## Windows
 
@@ -153,68 +158,21 @@ Please see [How to Install Software](/doc/how-to-install-software).
 
 ## Uninstalling
 
-If you want to remove a template you must make sure that it is not being used.
-You should check that the template is not being used by any qubes,
-and also that it is not set as the default template.
-
-The procedure for uninstalling a template depends on how it was created.
-
-If the template was originaly created by cloning another template, then you can
-delete it the same way as you would any other qube. In the Qube Manager,
-right-click on the template and select **Delete qube**. (If you're not sure,
-you can safely try this method first to see if it works.)
-
-If, on the other hand, the template came pre-installed or was installed by
-installing a template package in dom0, per the instructions
-[above](#installing), then you must execute the following type of command in
-dom0 in order to uninstall it:
+To remove a template, the graphical `Qube Manager` (Qubes Menu > Qubes Tools > Qube Manager) may be used. Right-click the template to be uninstalled and click "Delete qube" to begin removal. If no issues are found, a dialog box will request the template's name be typed as a final confirmation. Upon completion, the template will be deleted.
 
+Alternatively, to remove a template via the command line in dom0:
 ```
-$ qvm-template remove qubes-template-<DISTRO_NAME>-<RELEASE_NUMBER>
+$ qvm-template remove <TEMPLATE_NAME>
 ```
 
-`qubes-template-<DISTRO_NAME>-<RELEASE_NUMBER>` is the name of the desired
-template package.
-
-You may see warning messages like the following:
-
+\<TEMPLATE_NAME> is the first column from the output of:
 ```
-warning: file /var/lib/qubes/vm-templates/fedora-XX/whitelisted-appmenus.list: remove failed: No such file or directory
-warning: file /var/lib/qubes/vm-templates/fedora-XX/vm-whitelisted-appmenus.list: remove failed: No such file or directory
-warning: file /var/lib/qubes/vm-templates/fedora-XX/root.img.part.04: remove failed: No such file or directory
-warning: file /var/lib/qubes/vm-templates/fedora-XX/root.img.part.03: remove failed: No such file or directory
-warning: file /var/lib/qubes/vm-templates/fedora-XX/root.img.part.02: remove failed: No such file or directory
-warning: file /var/lib/qubes/vm-templates/fedora-XX/root.img.part.01: remove failed: No such file or directory
-warning: file /var/lib/qubes/vm-templates/fedora-XX/root.img.part.00: remove failed: No such file or directory
-warning: file /var/lib/qubes/vm-templates/fedora-XX/netvm-whitelisted-appmenus.list: remove failed: No such file or directory
-warning: file /var/lib/qubes/vm-templates/fedora-XX/icon.png: remove failed: No such file or directory
-warning: file /var/lib/qubes/vm-templates/fedora-XX/clean-volatile.img.tar: remove failed: No such file or directory
-warning: file /var/lib/qubes/vm-templates/fedora-XX/apps.templates: remove failed: No such file or directory
-warning: file /var/lib/qubes/vm-templates/fedora-XX/apps.tempicons: remove failed: No such file or directory
-warning: file /var/lib/qubes/vm-templates/fedora-XX/apps: remove failed: No such file or directory
-warning: file /var/lib/qubes/vm-templates/fedora-XX: remove failed: No such file or directory
+$ qvm-template list --installed
 ```
 
-These are normal and expected. Nothing is wrong, and no action is required to
-address these warnings.
+In either case, issues with template removal may be raised. If an issue is raised, the template will remain installed and a list of concerns displayed. "Global property default_template" requires [switching](#switching) the default_template property to another template. "Template for" can be resolved by [switching](#switching) the dependent qubes' template. Once the issues are addressed, attempt the removal again.
 
-If the uninstallation command doesn't work, pay close attention to
-any error message: it may tell you what qube is using the template,
-or if the template is default. In other cases, please see [VM Troubleshooting](/doc/vm-troubleshooting/).
-
-If the Applications Menu entry doesn't go away after you uninstall a template,
-execute the following type of command in dom0:
-
-```
-$ rm ~/.local/share/applications/<TEMPLATE_NAME>
-```
-
-Applications Menu entries for backups of removed qubes can also be found in
-`/usr/local/share/applications/` of dom0.
-
-```
-$ rm /usr/local/share/applications/<TEMPLATE_NAME>
-```
+If the template's entry in the Qubes Menu is not removed with its uninstallation, consult the [troubleshooting page](/doc/app-menu-shortcut-troubleshooting/#fixing-shortcuts).
 
 ## Reinstalling
 
@@ -429,8 +387,9 @@ this context: the same as their template filesystem, of course.
 
 * Some templates are available in ready-to-use binary form, but some of them
   are available only as source code, which can be built using the [Qubes
-  Builder](/doc/qubes-builder/). In particular, some template "flavors" are
-  available in source code form only. For the technical details of the template
+  Builder](https://github.com/QubesOS/qubes-builderv2/). In particular, some
+  template "flavors" are  available in source code form only. For the
+  technical details of the template
   system, please see [Template Implementation](/doc/template-implementation/).
-  Take a look at the [Qubes Builder](/doc/qubes-builder/) documentation for
+  Take a look at the [Qubes Builder](/doc/qubes-builder-v2/) documentation for
   instructions on how to compile them.

user/templates/xfce-templates.md

@@ -13,7 +13,13 @@ title: Xfce templates
 ---
 
 If you would like to use Xfce (more lightweight compared to GNOME desktop environment) Linux distribution in your qubes,
-you can install one of the available Xfce templates for [Fedora](/doc/templates/fedora/), [Debian](/doc/templates/debian/), [CentOS](/doc/templates/centos/), or [Gentoo](/doc/templates/gentoo/).
+you can install one of the available Xfce templates for [Fedora](/doc/templates/fedora/), [Debian](/doc/templates/debian/), [Gentoo](/doc/templates/gentoo/) or [CentOS*](/doc/templates/centos/).
+
+*\* The CentOS version used by this template reached 
+[End-of-Life in June 2024](https://en.wikipedia.org/wiki/CentOS_Stream#Release_history) 
+and is no longer receiving updates. Due to a lack of specific interest 
+at this time a proposal to create a new CentOS 10 template was 
+[declined](https://github.com/QubesOS/qubes-issues/issues/9716).*
 
 ## Installation
 
@@ -30,7 +36,7 @@ You may wish to try again with the testing repository enabled:
 [user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-templates-itl-testing qubes-template-X-xfce
 ```
 
-If you would like to install a community distribution, like CentOS or Gentoo, try the install command by enabling the community repository:
+If you would like to install a community distribution such as Gentoo, try the install command by enabling the community repository:
 
 ```
 [user@dom0 ~]$ sudo qubes-dom0-update --enablerepo=qubes-templates-community qubes-template-X-xfce

user/troubleshooting/gui-troubleshooting.md

@@ -6,16 +6,22 @@ ref: 233
 title: GUI troubleshooting
 ---
 
-## Can't click on anything after connecting 4k external display
+## Can't click on parts of the screen after connecting high-resolution external display
 
-When you connect a 4K external display, you may be unable to click on anything but a small area in the upper-right corner.
+When you connect a high-resolution external display, you may be unable to click on parts of the screen.
 
 When a qube starts, a fixed amount of RAM is allocated to the graphics buffer called video RAM.
 This buffer needs to be at least as big as the whole desktop, accounting for all displays that are or will be connected to the machine.
 By default, it is as much as needed for the current display and an additional full HD (FHD) display (1920×1080 8 bit/channel RGBA).
-This logic fails when the machine has primary display in FHD resolution and, after starting some qubes, a 4K display is connected.
+This logic fails when the machine has primary display in FHD resolution and, after starting some qubes, a high-resolution display is connected.
 If the buffer is too small, and internal desktop resize fails.
 
+To determine if this is the problem affecting you, look at the Xorg log inside the Qube at `/home/user/.local/share/xorg/Xorg.0.log` for lines like the following:
+
+~~~
+[  1623.988] (EE) DUMMYQBS(0): Unable to set up a virtual screen size of 3440x1440 with 17101 Kb of video memory available.  Please increase the video memory size.
+~~~
+
 The solution to this problem is to increase the minimum size of the video RAM buffer, as explained in [GUI Configuration](/doc/gui-configuration/#video-ram-adjustment-for-high-resolution-displays).
 
 ## Screen blanks / Weird computer glitches like turning partially black or black boxes