Qubes not loading without manual selection in boot menu. Is it actually a problem? And few more questions of newbie

Qubie · November 28, 2023, 9:03am

Hello. I’m newbie. A user who wants to migrate from Tails to Qubes. I have a couple of questions.

I installed Qubes twice on the same HP laptop. The first time was version 4.0.1, the second time was 4.1.2. and both times OS were not loading via Grub. When the computer was turned on, it reported that it did not have OS on it. But both times the installer reported that the installation was successful. The disk partitioning itself was automatic, without my participation. To start the OS, I had to enter the boot menu and choose the grub loader manually.

The actual path was as follows:

Boot From EFI File / Name of file (or disc?) / < EFI > / further selection of three items: < BOOT >, < fedora >, < qubes > (I choose “< qubes >”), further items: < fonts >, <xen-4.14.5.efi>, <grubx64.efi>, <xen.efi> (I choose <grubx64.efi>) and then grub is loading. Then comes a suggestion to enter the password from the disk.

The point is, I don’t think it’s a problem, I actually think it’s not a bug - it’s a feature. Because now, if the “evil forces” get hold of my computer, I can always say that it doesn’t have any OS on it, and if they turn it on, they’ll see it if they don’t dig deeper.

Basically, the point is that I’m okay with this moment, and I’m not at all keen on worrying about it, but I have to ask just in case, is there after all any serious reasons for me to start worrying and search the way how to restore the normal way of booting, or can I really leave everything as it is without any losses? If the work of the OS is not affected in any way, then everything is OK for me.

In the second stage of the installation, when there was a component selection phase, I removed the checkboxes from Fedora and Debian, and left only Whonix so I wouldn’t have any clearnet traffic, and everything would be always routed through the Tor network, as it is in Tails. But there below were important points for me to check, but because I left only Whonix, these items became inactive. I needed the usb cube to be able to work with the Internet, as the Internet in cubes will work through a modem. To keep this item active, I briefly checked Debian again, checked the Internet in the usb cube, and then removed the Debian tick again. Did this help in any way or because neither Debian nor Fedora were installed, the modem will not work in Qubes? I’m asking because it’s not physically possible to test the modem because it’s not there yet. So at least I will know ahead of time and if anything, I will reinstall OS in a normal way.
In general, is it necessary to install OSes other than Whonix so that Qubes can function as intended?

P.S. The other thing that’s troubling is that if you type the wrong password from the disk several times, the computer sends out a black screen with an error, that there are no paths like dom0/root and a few more with dom0. That it can not actually load OS. Nowhere in the manual on Qubes I have not met such a feature. Is this a normal moment (I mean, was this originally intended?) or is there something wrong with it?

apparatus · November 28, 2023, 10:00am

Did you install it on USB drive or did you remove the drive from your PC after installing Qubes OS?
Check this issue:

github.com/QubesOS/qubes-issues

Fall back to UEFI shell if Qubes boot entry is missing

opened 09:26AM - 02 Jun 22 UTC

mehrexe

T: enhancement P: default pr submitted C: boot

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) #…## Qubes OS release Latest as of posting, 4.1.0 ### Brief summary I manually unplugged every drive on my computer except for the target drive for the installation, which was all free space unpartitioned. Installer ran typically, chose automatic for the installation type. Booted into the OS' configuration and then the full OS. GRUB is verified to have worked because I managed to see it when initially booting for configuration and because of a later restart due to a display artificating and then system lockup problem I had that I attribute to Nvidia. After using another drive and then unplugging it, and plugging the Qubes drive back, there was no detectable boot source. I booted a live OS and found that the partition structure was intact but didn't investigate further and reinstalled Qubes. I then got the idea to see if this issue happened if I BIOS disabled drives instead of unplugging them. I disabled my Qubes drive and enabled another, and booted into it fine. I then disabled my other drive and reenabled the Qubes drive and the same issue happened again where my system does not see any boot entries. The system does see the drive, and switching on CSM and legacy boot I can boot from the drive but get an error screen saying to boot from proper media. This second time, I _kind of_ fixed it but I must do these steps every time I remove the drive or disable it in BIOS. I lose the option to boot without the Xen hypervisor and the boot hiccups. I essentially have to boot my install media, run Anaconda rescue and: 1. Mount the bootloader partition 2. Copy the contents of /mnt/EFI/qubes/ to /mnt/EFI/BOOT/ 3. Rename grubx64.efi to bootx64.efi 4. Rename grub.cfg to bootx64.cfg 5. efibootmgr -v -c -u -L Qubes2 -l /EFI/BOOT/bootx64.efi -d /dev/sda -p 1 ### Steps to reproduce I believe the best way to reproduce this issue is to do a fresh install of Qubes on hardware similar to mine: Asus Prime Z-390-A Motherboard Intel i7-9700K CPU 16GB DDR4 RAM 1TB HDD Most notably, this motherboard. I will be filing a compatibility report soon, but I believe this motherboard may have something to do with how it reads the GRUB bootloader as it's configured for Qubes. Further, these are the only non-stock BIOS settings: - Disabling the Intel LAN Controller (it causes a PCI reset error and ends the last step of the configuration, doesn't matter since I don't use it, and I believe the fact that it's unplugged is the reason this issue happens) - Enabling Virtualization - Enabling Vt-d - Disabling all other drives ### Expected behavior The GRUB bootloader is supposed to appear after the BIOS initializes regardless of whether the drive was previously unplugged from the system or not (safely of course). ### Actual behavior Please read above. After unplugging the drive or disabling it in BIOS, the entry for GRUB is missing.

It’ll help only against someone with average user knowledge.

It won’t cause any issues.

Yes. You can’t use whonix template for system qubes.

It works as intended and it works the same way for any other Linux system.

Qubie · November 28, 2023, 10:36am

Is it possible to install Debian on Qubes without re-installation of Qubes OS?

apparatus · November 28, 2023, 10:45am

You can install rpm package of debian template from installer with this command in dom0 terminal:

sudo dnf install /patp/to/debian/template/package.rpm

You’ll need to mount the installer USB in odm0 and search for the package there. You can search for "*debian*.rpm"

Qubie · November 28, 2023, 10:46am

I installed on SSD drive of the laptop. It was unlabeled disk. Had more than enough of space. Do you mean removing of the hard drive itself? Then no. I removed only usb stick after installation process of OS was finished and it asked to reboot computer. That issue started already then, but then I already knew about how to boot Qubes manually and then did it and continued the installation process. Under “installation process” I mean the second phase when goes the process of installation of components like Debian, Fedora, Whonix.

Qubie · November 28, 2023, 10:51am

OK then. If other packages except Whonix are needed then how can I prevent my traffic of being leaked in clearnet? I chose Qubes hoping they can give me protected Tor sandbox as Tails do but with much better protection of Qubes VM’s.

apparatus · November 28, 2023, 10:57am

If you use this setup:
sys-net (using debian template with your network PCI controllers attached) ↔ sys-whonix (using whonix-gateway template) ↔ anon-whonix (using whonix-workstation template)
Then nothing from anon-whonix qube will be leaked to clearnet.

fsflover · November 28, 2023, 5:09pm

Qubie · November 29, 2023, 9:42am

Thanks for help. Another qustion: is there a way to encrypt disk with keyfile instead of password? It has two advantages:

If you distroy a keyfile no one ever can decrypt the disk. In contrast of password which can be obtained through “thermorectal cryptanalysis”.
Password can be typed wrong during first encryption (because it was too large and you did a mistake while typed it) and you either can’t decrypt the disk anymore, or you have to enter a long password for half an hour each time.
The documentation really lacks a manual on how to encrypt the disk of Qubes with a keyfile.

P.S. I can’t decrypt my drive with my password anymore, so I still have to reinstall the OS. So I decided to ask this question before reinstalling.

apparatus · November 29, 2023, 10:30am

Qubie · November 30, 2023, 5:41am

And what should it be for? I didn’t see there anything about encryption with the keyfile. Did you send this because of something about proper manual disk partitioning about which there maybe is something written? I didn’t understand for sure yet because of still complicated text for me. I don’t have enough experience yet to figure out every single thing that is written there.

Qubie · November 30, 2023, 9:53am

Is there a way to translate the Qubes’ interface into another language? Because they’re like the spaceship’s dashboard and everything’s in English.

apparatus · November 30, 2023, 1:02pm

This topic is about creating this setup for Qubes OS:
https://wiki.archlinux.org/title/Dm-crypt/Specialties#Encrypted_/boot_and_a_detached_LUKS_header_on_USB
It’s better than just having USB drive with a key that anyone can steal/copy or get it from you using force before you manage to destroy it and decrypt your Qubes OS without asking you anything.
It’s an advanced topic so you’ll have to spend some time reading to understand it.

It’s better to keep the interface in English because when you’ll try to follow some instructions in English you won’t know what to do because you won’t know how exactly it translates from English instructions to interface in another language.

Qubie · December 1, 2023, 6:15am

Thank you for your answers. During the acquaintance with the Qubes, I realized that this OS is too complicated to use it at once in the work and learn it like that, “in combat conditions”, so it came to the understanding that I need to begin somehow to test it in a safe environment and conditions. Of all the possible options, I have one more Qubes to install, but already on the external hard drive and test it there until I master it properly. Except it’s not empty. Is it possible to install Qubes on the remaining free space so that you can load OS, and, when you need, to open files on this disk, as on ordinary external media? Let’s say for OS to create a partition on this disk. I will put the OS there and encrypt this partition during installation, and the rest of the partition will be a normal NTFS partition with files.

Qubie · December 1, 2023, 7:10am

Or I also have an internal HDD. There is no operating system, just file storage. With files on it too. Could use it the same way as described above. It could be something like dual boot but with OSes installed on different disks. Is it possible to do?
P. S. OS installed on that comp it’s Windows 10, not Linux.

apparatus · December 1, 2023, 7:26am

You can install it using the free space on any of your disks the same way you can do it with any other Linux distribution.
But be aware of the possible security risks with multibooting:

Qubie · December 1, 2023, 7:47am

So, if I use default Qubes installation, then even if I install it on a different disk then only Qubes will boot but not Windows? Once I already installed Linux after Windows 10 and had to do extra steps to place Windows in Grub menu, but then they were installed on the same disk. So, as I understand, even if they will be installed on different disks, Qubes anyway overwrites some boot partition (wherever it is or whatever it is, I don’t know this thing for sure) and only Qubes will be bootable after that? Or even if so, can I still enter boot menu each time I turn my comp on and then manually choose from which disk to boot and this way I can boot one of two OSes when needed, without some extra steps of placing the Windows 10 in grub manu of Qubes? Am I right in something?

apparatus · December 1, 2023, 11:55pm

No, only if Qubes OS is installed on the same disk that already has some other OS installed.

You’ll be able to boot like this from BIOS if you install Qubes OS on a separate drive where no other OS are installed.

Qubie · December 5, 2023, 12:13pm

I read the manuals on the Qubes and Whonix website and never found the answers to some questions.

Do I even need the sys-net, sys-firewall cubes and cubes that use them, or can they all be uninstalled without any worries? I need all my traffic to go through the Tor network as it is in Tails, so can I delete them all to eliminate any possibility of traffic leakage into the clearnet? Or without these cubes, will the OS not work normally or not work at all?
What is the point of being Disposable Template if this Disposable Template is exactly the same Template, only based on another Template? Why can’t you create Disposables right on the Templates?
When creating a Whonix Workstation cube, why to give ability to choose which Internet cube to connect to it, when it is crystal clear that if it is Whonix Workstation, then it needs either sys-whonix (aka Whonix Gateway), or no Internet at all (and then it should be “none”)? Why give the ability to connect sys-net if then will go clearnet traffic, bypassing Tor?

apparatus · December 5, 2023, 1:01pm

You need to attach your PCI network controllers to one of the qubes to connect to the internet.
If you attach it directly to sys-whonix then it’ll be less secure:

And you’ll just won’t use the possible security provided by Qubes OS:

How does Qubes OS provide security?

Qubes takes an approach called security by compartmentalization, which allows you to compartmentalize the various parts of your digital life into securely isolated compartments called qubes.

Also, I’m not sure if Whonix Gateway even support attaching PCI network controllers directly to it.

github.com/QubesOS/qubes-issues

Allow disposable qubes to be based directly on regular templates

opened 05:31AM - 19 Jun 21 UTC

ninavizz

T: enhancement C: core ux P: default

**The problem you're addressing (if any)** Today a user must create a "Disposab…le Template" from an App VM. It is well understood why a user may _desire_ that, but it feels odd to be forcing it. **Describe the solution you'd like** Allow users to create Templates that are only to be used to spawn Disposable qubes from. **Where is the value to a user, and who might that user be?** 1. Users new to Qubes OS and learning its ecosystem 2. It feels a bit silly to _have to_ create at least one Template and one App Qube, to be able to have a Disposable Qube. Again, for the use-case where a user would desire having a Disposable Qube spawned from an App Qube for unusually sensitive things, it's awesome that this capability exists! It's just breaks an intuitive mental-model of how Qubes works, to shoehorn today's dependency on an App VM intermediary as a requirement. **Describe alternatives you've considered** Nope **Additional context** From a private conversation with @marmarek: > "One corner case (not a blocker for the idea) is what to do about template's private disk. Currently template's private disk is not share with anything based on it. On the other hand, DispVM does get snapshot of its template private disk (which is that intermediate app qube right now). If we're going to remove that intermediate qube, we need to decide: should DispVM get always clean private disk in this case, or should template's private disk be no longer that private?" **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** Nope **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** Nope

You can have multiple Whonix Gateway qubes and not only a single sys-whonix. Also see this issue:

github.com/QubesOS/qubes-issues

Stop users from changing their `anon-whonix` net qube to `sys-firewall` to avoid IP leaks

opened 05:44PM - 27 Sep 23 UTC

adrelanos

T: enhancement C: core C: manager/widget P: major ux privacy C: Whonix C: networking

### Qubes OS release R4.2 ### Brief summary Some users are shooting the…ir own feet by setting the Net Qube of `anon-whonix` to `sys-firewall`. See [this example](https://www.reddit.com/r/Whonix/comments/16taa0e/qubes_monero_blockchain_download/). There should be some protection in place in QVMM or otherwise to prevent this. ### Steps to reproduce 1. configure the Net Qube of `anon-whonix` to be `sys-firewall` 2. `curl.anondist-orig 1.1.1.1` ### Expected behavior simplified: Not possible to change `anon-whonix` to any VM other than `sys-whonix` as Net Qube. formalized: Prohibited by QVMM to change a VM with the `anon-vm` qvm-tag to use a VM without the `anon-gateway` qvm-tag. (I wouldn't be opposed to this being only a warning that the user can choose to ignore. But that part does not seem important. That part could remain "patches welcome".) ### Actual behavior Functional networking. IP leak. ### Additional information Whonix for VirtualBox does not have the issue of new users being able to reconfigure this. While possible for advanced users, not something as simple as point and click as it can be done with Qubes. Details here: https://github.com/QubesOS/qubes-issues/issues/3994#issuecomment-397229398