This should be part of a tip on how to turn SMT on, otherwise it just lacks context.
Enabling SMT has potentially severe security implications, which is why SMT was disabled by the devs to begin with. While it’s hard to argue that increased performance is a niche desire, increased performance at the cost of security is a different matter. Tips with security implications, if allowed at all, must be marked with clear warning labels, but I fear that even when marked, just having the tip published might give the false perception that it’s less-risky.
Regarding publication of tips with clear security implications, I’ve no strong feelings either way. I think I’d default to saying that everything in the forum should be taken with caution, and that applying changes you don’t understand well is likely unwise. ()
On whether this instamce is a tip in itself without the “how to enable SMT” context… I agree with your judgement:
Thay being said, I suspect that the trick works because the smt=off line is managed by Salt (educated guess), which has convenience functions that ensure a content is present in a file, in a way that adds it if missing and does nothing if present.
Leaving the line in the file and overriding it would work in any similar situation. So that may be a useful technique to know of.
Now, does it fit the category: “Quick Quality Improvements”? I’d say no. “Tips and tricks”? Maybe.
Since the forum is almost entirely made up of
non-security researchers, non-developers and non-Xen experts I see no way to even begin assessing posts.
Also I don’t think it makes sense for the community to try to take user’s “at the hand”. Instead it should go like this:
If you have security concerns, use Qubes OS in its default congratulation without any modifications. Only follow instructions clearly published by the core team / official project. Expect each and every community post to be a malicious attempt to weaken your security.
If you are using Qubes OS as a hobby or to learn or you are sure you understand the implications of your configurations well enough to bet your security on it… by all means have at it.
I’ll take Sven’s suggestion and not do any hand-holding here–we can have tips that have security implications as long as they’re clearly labeled as such.
@renehoj Would you like to post a tip on how to turn off on SMT, which includes your grub modification?
Good idea, but we’ll do the negative version of this to save words: Whenever a new release comes around, everything gets tagged with Untested for R4.X which get removed as tip creators/users report failure or success
Good idea to leave the default line and override it!
I always add “sched-gran=core” with “smt=on”; it avoids running different VMs on the same core, mitigating some (potential) data leaks between different VMs.
So the last line would be:
Can someone here tell me how to “undo” pkill? I didn’t know I could set a timer on it, as shown in the script here on this thread, so I did it without a timer and I did it globally to an admin user … because I didn’t know how to change the admin user name without killing the 3120 process running and thought maybe pkill everything would be easier and well it was and was not because I got to change the user name but now can’t use that admin user anymore until I resume all the processes for that account and I have no idea how
Using i3 there is an way how to open terminal in the VM of the focused window ($mod+Enter by default).
Sometimes you’d want to be root in that terminal easily. You can define yet another keyboard shortcut to do so ($mod+Shift+Enter in the following example).
in dom0:~/.config/i3/config:
bindsym $mod+Return exec qubes-i3-sensible-terminal
bindsym $mod+Shift+Return exec qubes-i3-sensible-terminal.root
@unman, @ruza, and/or anyone else should double check my interpretations of the above two entries.
After much deliberation, I decided to place @ruza’s i3 version under “etc.” because I feel a tip for i3 isn’t mainstream enough to warrant prominent placement.
Having a monitors with a multiple inputs (i.e. HDMI and DisplayPort) you can switch monitor inputs using a keyboard without a need to do so physically on the monitor.
Lets the user take a screenshot based on rectangular selection and sends it to the currently focused VM
#!/bin/sh
# lets the user take a screenshot based on rectangular selection and sends it to the currently focused VM
CUR_WIN_ID=`xdotool getwindowfocus`
CUR_VM=`xprop _QUBES_VMNAME -id $CUR_WIN_ID | cut -d \" -f 2`
if [[ "$CUR_VM" != "_QUBES_VMNAME: not found." ]]; then
xfce4-screenshooter -r -o "qvm-copy-to-vm $CUR_VM"
notify-send "Screenshot sent!" "Your selection has been sent as a screenshot to $CUR_VM!"
fi