Qubes R3 and Windows 7 !

[Belaïd Abadja]

Hello Mrs Rutkowska,


Sorry for disturb, but maybe you or someone of ITL can help me please ?

I'am a sysadmin of one of the most important Belgian ISP (VOO, www.voo.be) who bought my payTV (BeTV) company for they quadruple play offer !

We are investigating in a secure Desktop solution for isolating admin tasks (without Internet access ) and office task (mail+internet, ...)  ! One of the idea of a contractor is to use VDI for admin task on our office desktop (?!?!) !
The recommendation for isolation is to use 2 PCs (not practible) ! So, Googling, i found your amazing solution, well though for a lot of security aspects ! I know your impressive background, RESPECT !

In my opinion, Qubes is well suite for Linux Admin ! But we would like to test a windows appVM ! Is it possible ? Is it possible to convert our office desktop into an appVM, and run it from Qubes ? Can mike or cam still supported (ex : lync conference) ? Do you think Qubes is well suited for our goal, not yet or not at all ?
 


Another question about NetVM ! NetVM is run in an unprivilege domain because we don't care if it's compromise you've said in a conference ! If the attacker have full control of that VM, does that mean that he can still sniff all the network trafic ?


I hope you or someone of ITL will reply these questions ...

I wish you all the best for you, ITL and this great project ! God blast you !


Thanks for your help.

Regards.

[Eric Shelton]

On Wednesday, September 30, 2015 at 6:03:49 AM UTC-4, Belaïd Abadja wrote:

Hello Mrs Rutkowska,

Sorry for disturb, but maybe you or someone of ITL can help me please ?

I am not part of ITL, but I may be able to answer some of your questions.

 

In my opinion, Qubes is well suite for Linux Admin ! But we would like to test a windows appVM ! Is it possible ?

I have been successfully using Windows 7 in "production" use for a number of months.  I have had no issues, beyond those generally imposed by operating Windows within a VM (for example, no 3D graphics (which may or may not be solved by PCI passthrough) and no sound (this can be solved by PCI passthrough of a PCI/PCIE sound device or a USB controller with an attached USB sound device)).

 

Is it possible to convert our office desktop into an appVM, and run it from Qubes ?

It _may_ be possible.  You could try something along the lines creating an HVM domain, doing 'dd if=/dev/sdb of=win7.img' (where sdb is the Win 7 hard drive), and then using win7.img in place of root.img in the appropriate directory under /var/lib/qubes/appvms/.  However, keep in mind that this is pretty much equivalent to taking a hard drive with Windows from one computer, and trying to boot it in another computer.  You might have driver issues or Windows Activation issues that keep it from working.

Really, it is much simpler to just install a new copy of Windows than go through the above, as it will definitely work.

 

Can mike or cam still supported (ex : lync conference) ?

For that, your best option is to do PCI passthrough of a USB controller, and plug a USB webcam into the appropriate port.  You can also plug in a sound card.

On laptop systems, there often is only one USB controller available for passthrough, which means you could not use the USB port for other appvms (actually, you might be able to, just not while Windows is running).  Some day there will be a dedicated USB domain that can share USB devices with other domains, but do not expect it in the near future (and it may take even more time to get it to work with Windows).

On desktop systems, there are usually multiple USB controllers, and you can just assign one of them to your Windows appvm.

NOTE: Your system must support Vt-d in order to do PCI passthrough to a Windows HVM-based appvm.  Only a fraction of laptop systems and desktop motherboards correctly enable Vt-d.  It does not mean your system will cost more money, but it does have to be carefully selected.  For desktop motherboards, Gigabyte and ASRock generally work - for a given motherboard model, go to the manufacturers website, download the PDF manual, and see if the BIOS has an option to enable/disable Vt-d.  For laptops, you can check the Qubes HCL, or do the above thing with reviewing the manual for a BIOS setting.

 

Do you think Qubes is well suited for our goal, not yet or not at all ?

The US Air Force is pretty much doing the same thing as Qubes OS with its SecureView OS for running applications at various and independent levels of data sensitivity on a single machine (looking at slides 22, 23, 37, and 38, it seems to have a very Qubes-like UI):

http://www.ainfosec.com/wp-content/uploads/2013/10/SecureView_Overview_Master_PA_Cleared_7Oct13.pdf

Qubes will probably be good for your purposes.

 

Another question about NetVM ! NetVM is run in an unprivilege domain because we don't care if it's compromise you've said in a conference ! If the attacker have full control of that VM, does that mean that he can still sniff all the network trafic ?

 That is correct - but in practice, its isolation in a separate domain is part of what prevents that from happening.  Generally, attacks are going to come into your system via an application or program you are running in one of your appvms.  Let's assume one of your appvms does get compromised (this is one of the assumptions of the Qubes security model - that the prevalence of zero day and other vulnerabilities makes this effectively impossible to prevent, despite best practices).  Now everything that happens in that VM, including network activity, could be known to the attacker.  However, unless there is an exploit in Xen (which the Qubes security model assumes there is not one, an assumption which pretty much has held true), the attacker cannot break out of that one appvm.  That means applications in other appvms remain isolated, and it also means that NetVM and FirewallVM also are isolated.  This is why there is a separate NetVM to begin with.

Attack vectors for NetVM would primarily be via the network adapters assigned to NetVM.  For example, if you are using a wifi adapter, there is the risk of a firmware bug in the wifi adapter that could allow someone to leverage an exploit against NetVM, and take over NetVM.  You could look at this situation much as if someone took over a router in your network, and then think about how you mitigate that risk.  For example, the Windows 7 appvm could be using a VPN for network access, leaving your NetVM attacker only with access to encrypted data.  Also, generally the notion is that even if NetVM is exploited, your other VMs should remain isolated (although NetVM is semi-privileged, in that it could send poisoned data to appvms that somehow leverages exploits in the appvms).

If an attacker gets physical access to your system, there are no security guarantees.  This is not specific to Qubes.  There is Anti Evil Maid (which requires Intel TXT support and a TPM), but really, if someone takes a screwdriver to your system, there is no telling what might happen.

If USB is not assigned to its own domain, you are vulnerable to BadUSB types of attacks.  Again, this is not specific to Qubes.

I hope the above is helpful in making your decision,

Eric

[Eric Shelton]

On Fri, Oct 2, 2015 at 3:26 PM, Belaïd Abadja <belaid...@betv.be> wrote:
> For the windows part, my thought was to use a tool like xenconvert and put
> the image on an external usb drive, install Qubes on the same PC, and create
> the HVM with the image (no hardware problem I hope) ! Is it possible ?

I do not think xenconvert is needed. A simple 'dd' should work. But
keep in mind you need to do the whole drive, not just a single
partition. To reduce the size of the image, you might be able to get
Windows to shrink its partition, and dd enough of the drive to cover
the MBR, partition table, and Win7 partition.

Also, note that you can install and run Qubes OS on an external drive just fine.

> In 10 days, i've to present the solution to my Management and try to
> convince them to use Qubes, but without windows (like our desktop, but in
> more secure way) , no chance to succeed !

With a 10-day deadline, I suggest you get Qubes installed on a machine
ASAP to start becoming familiar with it.

> If I reinstall windows bases on the install CD in a HVM, if we want to use
> the fonctionality of clipboard and filesharing securely, we need the windows
> tools (not free) ! Where can we get them and how ?

As best as I understand it, the windows tools are free (as in beer) to
use, they simply aren't open sourced, and so are not free in the
copyleft sense. See
http://theinvisiblethings.blogspot.com/2012/12/qubes-2-beta-1-with-initial-windows.html
(saying the tools "are free to use for any Qubes 2 user"). However, I
do not speak for ITL. I have _not_ been using the beta tools myself,
but there are instructions out there for downloading and installing
them. Basically, after Windows is installed in the HVM, Qubes can
download the tools and present them as a virtual CDROM when you boot
Windows, allowing you to install the tools.

> About the mike/cam, these are internal : we are using HP EliteBook and
> Fujitsu PCs at the company, mostly laptop for our sysadmins ! If it is not
> supported, it would be sad, and maybe we can live without them ?

There was some recent discussion about a user seeking to use a
microphone in Windows. I think that particular decided they could do
the same thing in a Linux PV-based appvm (to which you can do PCI
passthrough of a device, such as a USB controller, even without Vt-d).
So, you might consider whether there is a non-Windows workaround,
depending on what you need the webcam for. Otherwise, you are out of
luck until you buy new, Vt-d enabled, laptops.

At least some HP Elitebooks do support Vt-d:

http://h30434.www3.hp.com/t5/Notebook-Hardware/EliteBook-840-BIOS-support-for-Intel-VT-d-and-TXT/td-p/5067540

It is easy enough to check in your BIOS settings.

> If you or someone from qubes-dev can reply it would be nice ?
>
> Thanks a lot for your kindness and your support, keep going and i wish you
> and Qubes project all the best.

No problem.


Another approach that you might consider is establishing a more formal
business relationship with ITL, and seeing if they would set up some
kind of contract with your company. I feel like in the past they were
interested in doing that sort of business, although it might have been
with bigger clients in mind. Email Joanna or Marek directly to ask
(more about doing business, what you are trying to accomplish, and how
many users are involved, and less about technical questions).

Eric

[Belaïd Abadja]

Hello Mr Shelton,


Thanks a lot for your reply, it confirms all my feelings about this great project !

For the windows part, my thought was to use a tool like xenconvert and put the image on an external usb drive, install Qubes on the same PC, and create the HVM with the image (no hardware problem I hope) ! Is it possible ?

In 10 days, i've to present the solution to my Management and try to convince them to use Qubes, but without windows (like our desktop, but in more secure way) , no chance to succeed !

If I reinstall windows bases on the install CD in a HVM, if we want to use the fonctionality of clipboard and filesharing securely, we need the windows tools (not free) ! Where can we get them and how ?

About the mike/cam, these are internal  : we are using HP EliteBook and Fujitsu PCs at the company, mostly laptop for our sysadmins ! If it is not supported, it would be sad, and maybe we can live without them ?

If you or someone from qubes-dev can reply it would be nice ?

Thanks a lot for your kindness and your support, keep going and i wish you and Qubes project all the best.

Regards.

[7v5w7go9ub0o]

Is Windows specifically necessary?

Qubes comes with secure, private, handsome, native (Linux) support of
many "office" tasks. Perhaps you can significantly increase your
office's security AND spare them the $ cost of leasing MS applications.

[Belaïd Abadja]

Hello Eric,


Again, thanks a lot for your help and advices !

Qubes OS R3 is installed on a spare PCs for a POC, and I play with it
since a week (the Linux part) ! Qubes is a project that I follow from
about 2 years now ! But to be honest, i don't have any idea about the
size of the community/qubes-devel that support the project, and why this
great project seems to be known only by some people interested in
Security ? I know the project is young, but deserve more attention in my
opinion !

I've just created a win7 Pro HVM, and I'll will install some tools we
need in my company for a demo (i hope i will not have a lot of surprises) !

Our goal is to protect our sysadmin (most privilege user, about 20
people) in our company (250 people, BeTV a Belgian pay TV) depending on
our Group (VOO, a major ISP in Belgium, 3000 employees), and try to
follow some best security practices like isolation of admin task in a
separated network and so on ...

If the POC is OK (i'll hope), we will present the solution in our
security group of the Group (monthly meeting) ! Our contractors think
they can achieve the goal using an "untrusted" PC with VDI for admin
task (it's a non-sense to me) !


Before contacting Joanna or Marek (i've not succeeded with their ITL
email address as mentionned in contact : name@....), i have to convince
my Management first and secondly the Group !

Thanks to your advices, maybe Qubes will be used by our Group for some
privileges users to protect them and trying to protect our most
sensitive assets by the way ...


Thank for your help and kind regards.

[Radoslaw Szkodzinski]

On Fri, Oct 2, 2015 at 6:12 PM, Eric Shelton <knock...@gmail.com> wrote:
> On Wednesday, September 30, 2015 at 6:03:49 AM UTC-4, Belaïd Abadja wrote:
>>
>>
>> Hello Mrs Rutkowska,
>>
>> Sorry for disturb, but maybe you or someone of ITL can help me please ?
>
>
> I am not part of ITL, but I may be able to answer some of your questions.

Likewise.

>
>>
>> In my opinion, Qubes is well suite for Linux Admin ! But we would like to
>> test a windows appVM ! Is it possible ?
>
>
> I have been successfully using Windows 7 in "production" use for a number of
> months. I have had no issues, beyond those generally imposed by operating
> Windows within a VM (for example, no 3D graphics (which may or may not be
> solved by PCI passthrough) and no sound (this can be solved by PCI
> passthrough of a PCI/PCIE sound device or a USB controller with an attached
> USB sound device)).

Windows 8.1 also works, and you can slightly tweak VM configuration
for better performance thanks to Hyper-V extras it supports out of the
box.

The HDA Intels common in laptops can be reassigned via IOMMU as well,
they are PCI devices.
This would be required for potentially upcoming SoundVM.

>>
>> Can mike or cam still supported (ex : lync conference) ?
>
>
> For that, your best option is to do PCI passthrough of a USB controller, and
> plug a USB webcam into the appropriate port. You can also plug in a sound
> card.
>
> On laptop systems, there often is only one USB controller available for
> passthrough, which means you could not use the USB port for other appvms
> (actually, you might be able to, just not while Windows is running). Some
> day there will be a dedicated USB domain that can share USB devices with
> other domains, but do not expect it in the near future (and it may take even
> more time to get it to work with Windows).

It is also possible to massage Windows to run Jack Audio Connection
Kit. You will need a virtual sound card driver for this, specifically:
http://vb-audio.pagesperso-orange.fr/Cable/
Then, you will have to set up netjack2 as per guides, with the other
end in SoundVM (if that's implemented truly already, my own one is
pretty patchy).
I recommend using Xen option sched=sedf in that case (supported in
Qubes 3+) for better latency behavior. If it's a SoundVM, you can also
tweak the CPU allocation.
I also recommend modifying that HVM to have a dedicated virtual
network card for Jack.

Some enterprising software developer could convert netjack2 backend to
work over Xen Virtual Channels for even better performance.

Qubes uses Pulseaudio out of the box - Pulseaudio can interface with
Jack via its driver modules.
Likewise you can interface with multiple sound cards in Jack using
zita-ajbridge and a2jmidid.

> On desktop systems, there are usually multiple USB controllers, and you can
> just assign one of them to your Windows appvm.
>
> NOTE: Your system must support Vt-d in order to do PCI passthrough to a
> Windows HVM-based appvm. Only a fraction of laptop systems and desktop
> motherboards correctly enable Vt-d.

It's not that bad anymore, higher end workstation laptops from Lenovo,
Dell and HP just work in this regard. They need working VT-d for high
performance Hyper-V support.
Generally pick Windows 8 or newer compatible laptop with something
stronger than Core i3, it's even more sure if it has Windows 8/8.1/10
Professional on it out of the box.
No idea how AMD-based laptops stack up.

> It does not mean your system will cost
> more money, but it does have to be carefully selected. For desktop
> motherboards, Gigabyte and ASRock generally work - for a given motherboard
> model, go to the manufacturers website, download the PDF manual, and see if
> the BIOS has an option to enable/disable Vt-d. For laptops, you can check
> the Qubes HCL, or do the above thing with reviewing the manual for a BIOS
> setting.

Nowadays, broken IOMMU seems relatively rare. For desktop mainboards,
AMD-based systems are generally safe too.


Best regards,
--
Radoslaw Szkodzinski

[Belaïd Abadja]

Hello,


Thanks for your reply, good news, i 'll try as soon as i will have
windows 7 started with windows tools, but that's not the case till now
even following the procedure but maybe i've missed something ?

I've created an HVM with a new windows 7 install, fully updated (service
pack 1 and so on) ! I've tried to install the windows tools
(current-testing) following that procedure
(https://www.qubes-os.org/doc/HvmCreate/) and the HVM doesn't start
anymore (i've tried the full install first) ! So, I remove the HVM,
reinstall all stuff, and clone that HVM ! I've tried to reinstall the
windows tools (typical installation) from that cloned HVM and it cannot
be restarted !!!

I've forgot to mention that when the windows HVM start, i can't resize
the screen of that HVM ! I guess that's because the windows tools is
not installed ? Qubes is installed on an HP ProBook 6450b with Bios
option virtualisation support ON (i guess VT-d) ?

So, question : is there a problem with the procedure i 've followed or a
problem with the windows tools package (a bug or an incompatibility with
my installation ) ?


Can someone help me please ?

Thanks and regards.

[Eric Shelton]

On Sunday, October 4, 2015 at 10:56:46 AM UTC-4, Belaïd Abadja wrote:

Hello,


Thanks for your reply, good news, i 'll try as soon as i will have
windows 7 started with windows tools, but that's not the case till now
even following the procedure but maybe i've missed something ?

I've created an HVM with a new windows 7 install, fully updated (service
pack 1 and so on) !  I've tried to install the windows tools
(current-testing) following that procedure
(https://www.qubes-os.org/doc/HvmCreate/) and the HVM doesn't start
anymore (i've tried the full install first) ! So, I remove the HVM,
reinstall  all stuff, and clone that HVM ! I've tried to reinstall the
windows tools (typical installation) from that cloned HVM and it cannot
be restarted !!!

Unfortunately, I can't provide help with the windows tools - I haven't been using them.

 

I've forgot to mention that when the windows HVM start, i can't resize
the screen of that HVM  ! I guess that's because the windows tools is
not installed ? Qubes is installed on an HP ProBook 6450b with Bios
option virtualisation support ON (i guess VT-d) ?

Many BIOSes have two separated options, with the virtualization setting enabling VT-x, and other option (often labeled Vt-d or IOMMU) separately enabling Vt-d.  However, perhaps some BIOSes have just a single setting.  The 6450b is an older model, so that may factor in as well (maybe making Vt-d support less likely, or use of a single option for both more likely).

There are quite a few different CPUs used in your model of laptop:

http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02218879

Both the HM57 and QM57 chipsets support Vt-d.  All of the i5 and i7 CPUs they used also support Vt-d.  If you current BIOS is not enabling Vt-d, you might see if a newer BIOS was released that does.

You can confirm that Vt-d is being successfully used by Xen by running 'xl info' in a dom0 console window.  You should see 'hvm_directio' under 'virt_caps' if Vt-d is available.  If not, you can run 'xl dmesg' to see if there is anything interesting being reported.

Best,

Eric

[7v5w7go9ub0o]

On 10/04/2015 11:46 AM, Eric Shelton wrote:

> On Sunday, October 4, 2015 at 10:56:46 AM UTC-4, Belaïd Abadja wrote:
>
> Hello,
>
>
> Thanks for your reply, good news, i 'll try as soon as i will have
> windows 7 started with windows tools, but that's not the case till
> now
> even following the procedure but maybe i've missed something ?
>
> I've created an HVM with a new windows 7 install, fully updated
> (service
> pack 1 and so on) ! I've tried to install the windows tools
> (current-testing) following that procedure
> (https://www.qubes-os.org/doc/HvmCreate/

> <https://www.qubes-os.org/doc/HvmCreate/>) and the HVM doesn't start

> anymore (i've tried the full install first) ! So, I remove the HVM,
> reinstall all stuff, and clone that HVM ! I've tried to reinstall
> the
> windows tools (typical installation) from that cloned HVM and it
> cannot
> be restarted !!!
>
>


> Unfortunately, I can't provide help with the windows tools - I haven't
> been using them.

I presume then that you can not copy files to/from Windows to/from other
VMs!?

[Eric Shelton]

On Sunday, October 4, 2015 at 3:28:04 PM UTC-4, 7v5w7go9ub0o wrote:

On 10/04/2015 11:46 AM, Eric Shelton wrote:
> On Sunday, October 4, 2015 at 10:56:46 AM UTC-4, Belaïd Abadja wrote:
>
>     Hello,
>
>
>     Thanks for your reply, good news, i 'll try as soon as i will have
>     windows 7 started with windows tools, but that's not the case till
>     now
>     even following the procedure but maybe i've missed something ?
>
>     I've created an HVM with a new windows 7 install, fully updated
>     (service
>     pack 1 and so on) !  I've tried to install the windows tools
>     (current-testing) following that procedure
>     (https://www.qubes-os.org/doc/HvmCreate/
>     <https://www.qubes-os.org/doc/HvmCreate/>) and the HVM doesn't start
>     anymore (i've tried the full install first) ! So, I remove the HVM,
>     reinstall  all stuff, and clone that HVM ! I've tried to reinstall
>     the
>     windows tools (typical installation) from that cloned HVM and it
>     cannot
>     be restarted !!!
>
>


> Unfortunately, I can't provide help with the windows tools - I haven't
> been using them.

I presume then that you can not copy files to/from Windows to/from other
VMs!?

You also do not get the nifty seamless windows without the tools.  However, keep in mind that you can set up network file sharing between a Windows AppVM and a PV-based Linux AppVM, via samba, for example.  You just have to configure the firewall to allow it.  As long as you effectively treat the two AppVMs as a single security domain, I don't see why that would conflict with the security model facilitated by Qubes.

Eric

[7v5w7go9ub0o]

On 10/04/2015 04:40 PM, Eric Shelton wrote:
> On Sunday, October 4, 2015 at 3:28:04 PM UTC-4, 7v5w7go9ub0o wrote:
>
>
> On 10/04/2015 11:46 AM, Eric Shelton wrote:

> > On Sunday, October 4, 2015 at 10:56:46 AM UTC-4, Belaïd Abadja

Ah...... got it.

Yep, that'll allow one to proceed.

But ISTM proceed at the cost of loosing one of the BIG advantages of
Qubes: that one can *securely* and easily copy between VMS without extra
servers, virtual ethernets, et.al. (I greatly appreciate that Wintools
worked so well in R2.)

Thanks; guess I'll wait 'til R3 Windows tools becomes operational.

[Belaïd Abadja]

Hello,


I've received yesterday a brand new Fujitsu Lifebook E-series (without SSD) and 8G mem ! VT-x and VT-d has been enabled, i've reinstalled the all stuff (Qubes R3, windows 7 pro, service pack and all patch, java, ...), and "hvm hvm_directio" is now displayed with "xl info" ! The

HVM was cloned ! I can't resize the windows HVM ! I've installed the windows tools too, but when i start the windows HVM, i've got the same problem, the HVM GUI is not displayed   : waiting on VM's qrexec agent, connected, waiting for user '...' login , but NO GUI !!!

Can someone help me please ?


Thanks and regards.

[Rafał Wojdyła]

On 2015-10-06 11:47, Belaïd Abadja wrote:
> Hello,
>
>
> I've received yesterday a brand new Fujitsu Lifebook E-series (without
> SSD) and 8G mem ! VT-x and VT-d has been enabled, i've reinstalled the
> all stuff (Qubes R3, windows 7 pro, service pack and all patch, java,
> ...), and "hvm hvm_directio" is now displayed with "xl info" ! The
>
> HVM was cloned ! I can't resize the windows HVM ! I've installed the
> windows tools too, but when i start the windows HVM, i've got the same
> problem, the HVM GUI is not displayed : waiting on VM's qrexec agent,
> connected, waiting for user '...' login , but NO GUI !!!
>
> Can someone help me please ?
>
>
> Thanks and regards.

The gui daemon in dom0 may be not running. This post contains known
issues with Windows Tools and solutions to common problems:

https://groups.google.com/d/msg/qubes-users/giQq9WJJ9qA/2JQ9kqZyCAAJ


--
Rafał Wojdyła
Qubes Tools for Windows developer
https://www.qubes-os.org/

[Rafał Wojdyła]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(resending with inline GPG signature)

- --

Rafał Wojdyła
Qubes Tools for Windows developer
https://www.qubes-os.org/

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJWE8riAAoJEIWi9rB2GrW7TG0H/1SbcVqIKqCUggUAhJFYHr3f
ggC4XCjONnZ/CV2ENXTM+NqJYXork1O68c1pmYcG5sBc+sJowJoHRz9EcU0FpPKT
svf6+1s5Ctdqt7zkqhirH5OTdZjHPYIT/M0QQbX7AI4Gz8WanUNgso2/n7Kz2HKu
zVBxrvH401TOh4W4zsQ6dL4abY285OkP4hTdxeFeWL2Gd4zD9wwVMXjJm7DyBQOf
HtmkWnU1JWpw6CSArch+IkACon5NJpD1br9XVjZWhcBnpPpdK1CFv2JUfuNaWHdE
1QuI+zd0SnB7rWE51IgasnbnqTvsJggv3/tMKJMnwGobw5ABUsN6cHJmmnkE0AY=
=lMF0
-----END PGP SIGNATURE-----

[Belaïd Abadja]

Hello,


Thanks for your help, the windows HVM can be started now with autologon
(i hope there will be a fix soon ?) !

The seamless GUI is not activated, do I have to activate the option, and
what initial memory is advised ?


But now, all my Linux VM start without the GUI but I can ran command in
a VM (like firefox) and it works ! What can i do to have a GUI as before
installing windows tools (from unstable repository) with linux VM please ?

I have another problem when Qubes (R3 RC1) start : sometimes i have to
turn my pc off and on because the keyboard is not working ? Is it a
known problem and do you have a fix ?

In windows HVM, i have no sound (driver not installed), what do i have
to install ?

For the template VM, i have always the update icon and when i try to
update the VM, there is nothing to do ! Any idea ?

Why Dom0 uname is fedora 20 and not 21 like the template VM
(3.19.8-100:fc20.x86_64), do I have to update the Dom0 (I've tried and
as the fedora template 21, nothing to do !!!) ?


I have to demonstrate a PoC for Qubes in my company on monday (very
short delay, sorry), maybe if i reinstall a Qubes R2 with windows tools
i will have less problem, do you confirm ?

Thanks for your help !


Regards.

[Jeremias E.]

The seamless GUI is not activated, do I have to activate the option, and
what initial memory is advised ?

 

I use at minimum 1024 MB or if I want to really work with the Windows 7 HVM 2048-3072 MB.

[Eric Shelton]

On Wednesday, October 7, 2015 at 6:47:52 AM UTC-4, Belaïd Abadja wrote:

Hello,

Thanks for your help, the windows HVM can be started now with autologon  
(i hope there will be a fix soon ?) !

The seamless GUI is not activated, do I have to activate the option, and
what initial memory is advised ?

There are a few threads running around on qubes-devel and/or qubes-users relating to the R3 windows tools.  Check those out to see what problems people have been running into, and how they have solved them.  There may be some users that are fully satisfied with the current state of the windows tools once a few details are sorted out.

Also, you are more likely to get the answers you are looking for by posting in those threads.

 

But now, all my Linux VM start without the GUI but I can ran command in
a VM (like firefox) and it works ! What can i do to have a GUI as before
installing windows tools (from unstable repository) with linux VM please ?

I am not quite sure what you mean by the GUI.  It sounds like you are maybe looking for a typical Linux desktop environment, but running in a single window?  That is not generally how Qubes is used.  Instead, think of the Qubes desktop being much like X Windows displaying applications running on another machine, where you can ssh into a box, set the DISPLAY environment variable, and the application displays on your local machine while running on the remote machine.  Much like this, Qubes gives you a seamless display of windows from various AppVMs, but with the windows decorated with colors and the name of the AppVM.

If you really want to do a more conventional Linux-in-a-VM approach, where the VM has its own desktop environment, you will need to install it in an HVM-based AppVM.  I generally do not recommend it, since you lose various benefits of running in the PV-based AppVMs, such as seamless windows, cut and paste, and automatic memory balancing among the AppVMs.

Also, note that the KVM 'start menu' type thing is a good way to start up applications in AppVMs.  Typically you will not start an AppVM via Qubes Manager, which is what it sounds like you were doing.

 

I have another problem when Qubes (R3 RC1) start : sometimes i have to
turn my pc off and on because the keyboard is not working ?  Is it a
known problem and do you have a fix ?

First, note that RC1 is an old release.  The final R3 (no longer release candidate) was recently released.  I believe running an update from dom0 and you TemplateVM will get you up to date, but I'm not entirely sure about that.

Second, try using the most recent kernel available - sometimes that fixes these types of issues (however, from below, it looks like you are already running 3.19 - 3.18 was causing lots of problems).  Run a search on qubes-users and qubes-devel, and you should find some instructions on this.  It is more likely a Linux issue, and not so much a Qubes or Xen issue, so Google search for reports on using your laptop model with Linux.  It is one of the things about running Linux on a laptop that was essentially designed to run Windows.  On one laptop I had, the trackpad would stop working occasionally in Linux (also requiring a reboot), but it never happened under Windows.

You can also try plugging in a USB keyboard (maybe even after your keyboard fails), so that when your keyboard stops working, you can still type on your machine and maybe track down what is going on.  Often looking at the output of 'dmesg' will show an error message.

 

In windows HVM, i have no sound (driver not installed), what do i have
to install ?

You will not get sound in Windows, as the support is not in place.  It may be possible using network-based audio using Jack, but I have not seen any reports of anyone actually having done it yet.  If you don't care about sound elsewhere, and really want it working in Windows, you can do a PCI passthrough of your audio device.  However, given your Monday deadline, I would pass on this issue for now.

Sound support is on the 'someday' list - but not a high priority right now.

 

For the template VM, i have always the update icon and when i try to
update the VM, there is nothing to do ! Any idea ?

Shut down all of your AppVMs (but not the sys-firewall and sys-net ServiceVMs).  Then start up your TemplateVM (run a console session).  Then, I think right click on your TemplateVM (should be fedora-21), and do 'Update VM.'  Alternatively, you can do 'sudo yum update', I believe.

Also, if you edit /etc/yum.repos.d/google-chrome.repo, setting 'enabled=1', you can do a 'sudo yum install google-chrome'.  However, Firefox generally works better - there some interaction between Chrome and Xen where certain websites cause tabs or all of Chrome to crash.

Another thing I would not mess around with much given the tight time.  If you you want to work is working, that should be enough for now.

 

Why Dom0 uname is fedora 20 and not 21 like the template VM
(3.19.8-100:fc20.x86_64), do I have to update the Dom0 (I've tried and
as the fedora template 21, nothing to do !!!) ?

dom0 runs Fedora 20.  The PV AppVMs run Fedora 21.  Not really a big deal, since most of the real work you want to do is running in your PV AppVMs.  Just one of those things with relase cycles of various components, and prioritizing limited development resources.  It sounds like the next version of Qubes will get at least the AppVMs, if not dom0 as well, up to Fedora 23.

 

I have to demonstrate a PoC for Qubes in my company on monday (very
short delay, sorry), maybe if i reinstall a Qubes R2 with windows tools
i will have less problem, do you confirm ?

That is up to you, and what you think you want or need to demonstrate.  For example, if the Windows tools for R3 are not where you need them to be, then you will likely want to go back to R2.  

If I were in your place, I would probably have two hard drives going (for example, adding a USB external drive) - one with R2 and one with R3.  What you learn working on one will likely apply to the other.  Then get both up and running and see what suits your needs better.  There is little, if any cosmetic difference between the two.  For R3, a lot of work has done on internals relating to the new HAL (hypervisor abstraction layer), which down the road may lead to non-Xen based hypervisors being used by Qubes.

Best of luck,

Eric