💾 Archived View for gemini.greenleader.xyz › technotes.gmi captured on 2022-04-28 at 18:02:31. Gemini links have been rewritten to link to archived content

View Raw

More Information

➡️ Next capture (2022-06-03)

-=-=-=-=-=-=-

Technotes - Notes on tech and privacy.

2022-04-26: Setting up my work template in Qubes

I'm mostly a blue-team security guy and backup systems engineer in a primarily Windows environment. This means that a lot of my work is done in browsers and from Powershell. Initially, I'll be doing a lot of my work from a Windows HVM (see my post from 2022-03-16 on how to get that imported), but once I get VPN/networking connecting me to the office, I'll be migrating that load to AppVMs, appropriately segmented for the level of access I'm using.

Today I set up the template VM I'm using for my work appVMs. I'm running the Debian 10 template; there's a Debian 11 template available, but there's still some bugs (for example, it can't mount exfat partitions, even with the appropriate packages installed). I'll be installing remmina for RDP access, codium for, well, coding, Chromium, Edge, and PowerShell.

First, I cloned the template to "debian-10-work". Then I enabled networking on the template (some of the installs require going out to the web for curl/wget actions).

Let's do the easy ones first:

apt install remmina
apt install chromium

Next, codium (reference: https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo#option-1-recommended):

wget -qO - https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/raw/master/pub.gpg \
    | gpg --dearmor \
    | sudo dd of=/usr/share/keyrings/vscodium-archive-keyring.gpg
echo 'deb [ signed-by=/usr/share/keyrings/vscodium-archive-keyring.gpg ] https://paulcarroty.gitlab.io/vscodium-deb-rpm-repo/debs vscodium main' \
    | sudo tee /etc/apt/sources.list.d/vscodium.list
sudo apt update
sudo apt install codium

I had some major issues with the Edge install; for some reason I couldn't get their signing key to work following the instructions on the official site (https://www.microsoftedgeinsider.com/en-us/download?platform=linux-deb) which caused apt update to fail. I undid all of that, but did eventually get it going. More on that after PowerShell.

pwsh (reference: https://docs.microsoft.com/en-us/powershell/scripting/install/install-debian?view=powershell-7.2#installation-on-debian-10-via-package-repository):

wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt-get update
sudo apt-get install -y powershell

After I finished the PowerShell install, I checked the apt keys (apt-key list) and found that the same key was used for both PowerShell and Edge. So, I tweaked the line to import the repo, tried again, and it worked!

sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/edge stable main" > /etc/apt/sources.list.d/microsoft-edge.list'
apt update
apt install microsoft-edge-stable

Phew! That's working well now. Now if the 20GB image file with my HVM would quit crashing part way through downloading, I could move in full-time. Next up, trying to get NDES/SCEP enrollment working and get connected to our VPN.

2022-04-25: Librem 14v1 First Impressions

Finally received my Purism Librem 14v1 (not their fault on the delay). Here are my first impressions and some of my initial setup concerns.

I ordered the 32GB / 1TB / SeaBIOS + coreboot / Qubes version. First impression at unboxing is that this is a really attaractive laptop. Nice sharp corners, matte finish, no markings on the top or inside, minimal markings on the bottom. Gives me vibes like a "murdered out" car. Screen is nice, too. I like that sticker life, but I'm go

ing to keep the back clean until it starts getting scratched.

On first boot, you're prompted for your LUKS password. I wasn't given one. I checked the FAQ and support site without luck. I gave up and emailed, but while I was waiting, I found a blog post from the CEO (https://puri.sm/posts/qubes-now-a-preinstall-option-for-librem-14-and-mini/) that mentioned it was blank. Facepalmed, hit the enter key, and was taken to the Qubes OOBE. That was fairly straight forward, especially since I've installed Qubes before. I created a user and set the encryption password and was on my way...

Or so I thought. They shipped the machine with Qubes 4.0 installed. The whonix templates included were the deprecated -15 ones. I could have reinstalled Qubes, but I wanted to get the whole "new user" experience, so I toughed it out.

System time was *way* off. I had to fix that before updates would work (due to cert validity), and it took a reboot before it kicked in. Then I performed a distribution upgrade to get to 4.1: https://www.qubes-os.org/doc/upgrade/4.1/

From dom0:

sudo qubes-dom0-update -y qubes-dist-upgrade
sudo qubes-dist-upgrade --all

reboot

sudo qubes-dist-upgrade --resync-appmenus-features

The whonix installs were still on -15, so had to import the new templates:

sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=reinstall qubes-template-whonix-ws-16
sudo qubes-dom0-update --enablerepo=qubes-templates-community --action=reinstall qubes-template-whonix-gw-16

Re-assign the App VMs to the updated templates (don't forget to change the DispVM setting in the -ws VM) and delete -15 templates:

qubes-dom0-update --action=remove cubes-template-whonix-ws-15
qubes-dom0-update --action=remove cubes-template-whonix-gw-15

I also went ahead and installed the Debian 11 template:

sudo qubes-dom0-update --action=install qubes-template-debian-11

That's it for now. I've got to start adding apps to my templates, setting up my app vms, and importing the Windows HVM that I need. Also need to try to see if I can get OpenConnect working (I was working on it on a tester for the past month, but could never get it to work in our environment).

2022-03-16: Hyper-V VM to Qubes HVM

Fairly straight-forward here.

- Create your VM in Hyper-V (I imaged it via SCCM to get a fully standard work build).

- Install the Qubes Windows tools (xenbus, xenvbd drivers, qubes-tools-4.0.1.3).

- Shutdown the VM.

- Convert the disk image from vmdk to raw format:

qemu-img convert -f vhdx -O raw <path to vmdk> <path to target .raw file>

- Copy the file to dom0 (run from dom0):

qvm-run --pass-io untrusted 'cat "/media/user/externalhd/win10.raw"' > /home/user/win10.img

- Create the HVM (set the RAM, label, and machine name as you wish):

qvm-create --property=virt_mode=hvm --property=memory=4096 --property=kernel='' --label red --standalone --root-move-from /home/user/win10.img win10

Reference: https://www.qubes-os.org/doc/standalones-and-hvms/#converting-virtualbox-vms-to-qubes-hvms

Reference: https://github.com/Qubes-Community/Contents/blob/master/docs/os/windows/windows-tools.md

I'm super pumped to get my Librem 14 in a few weeks. Since I work remote I don't have to worry about jealous coworkers, but on the other hand I don't get to show off, either :(.

2022-02-14: i3 Install on OpenBSD

OK, here we go, time to write up how *I* installed i3 on OpenBSD 7.0. Hopefully the format will translate from my notes.

Reference: https://ronvalente.net/posts/install-i3-on-openbsd/

Reference: https://www.nxfury.com/lock-down-your-laptop-with-openbsd-part-2

Install packages

pkg_add i3-gaps i3status rofi rxvt-unicode chromium irssi w3m vim openbsd-backgrounds

Kill login console:

sed -i 's/xconsole/#xconsole/' /etc/X11/xenodm/Xsetup_0

echo 'xset b off' >> /etc/X11/xenodm/Xsetup_0

apmd (Advanced Power Management Daemon)

Not using this on the Mini.

rcctl enable apmd
rcctl set apmd flags -A
rcctl start apmd
mkdir /etc/apm
# append next two lines to /etc/apm/suspend:
#!/bin/sh
pkill -USR1 xidle
chmod +x /etc/apm/suspend

Resources

I'm not familiar with this; just following the guide. Apparently some groups get more resources than others, so you have to make these mods for performance reasons:

usermod -G staff labadmin

Modify the staff: entry in /etc/login.conf to look like this:

staff:\
  :datasize-cur=1024M:\
  :datasize-max=8192M:\
  :maxproc-cur=512:\
  :maxproc-max=1024:\
  :openfiles-cur=4096:\
  :openfiles-max=8192:\
  :stacksize-cur=32M:\
  :ignorenologin:\
  :requirehome@:\
  :tc=default:

The only ones I had to modify in my config away from default were macproc-cur, maxproc-max, and I had to add the openfiles and stacksize values.

Then, append this to /etc/sysctl.conf:

# shared memory limits (chrome needs a ton)
kern.shminfo.shmall=3145728
kern.shminfo.shmmax=2147483647
kern.shminfo.shmmni=1024

# semaphores
kern.shminfo.shmseg=1024
kern.seminfo.semmns=4096
kern.seminfo.semmni=1024

kern.maxproc=32768
kern.maxfiles=65535
kern.bufcachepercent=90
kern.maxvnodes=262144
kern.somaxconn=2048

sysctl.conf did not exist when I started.

Desktop Setup

Run as user, not root:

mkdir -p ~/.config/gtk-3.0

nano ~/.config/gtk-3.0/settings.ini

Add these lines:

[Settings]
gtk-theme-name=Adwaita
gtk-icon-theme-name=Adwaita
gtk-font-name=Arimo 9
gtk-toolbar-style=GTK_TOOLBAR_ICONS
gtk-toolbar-icon-size=GTK_ICON_SIZE_SMALL_TOOLBAR
gtk-button-images=1
gtk-menu-images=1
gtk-enable-event-sounds=1
gtk-enable-input-feedback-sounds=1
gtk-xft-antialias=1
gtk-xft-hinting=1
gtk-xft-hintstyle=hintslight
gtk-xft-rgba=rgb
gtk-cursor-theme-size=0
gtk-cursor-theme-name=Default
gtk-key-theme-name=Default

As root:

cp /usr/local/share/examples/i3status/i3status.conf /etc

From the nxfury page:

Lastly, let's configure i3 to actually launch. Open /etc/X11/xenodm/Xsession in a text editor and go to the end of the text file. There will be a portion saying exec fvwm. Remove that line entirely and replace it with exec i3. Now search for anything in this file saying xconsole and remove it (this prevents automatic launching of a console in your desktop.)

Note that this is just "exec i3" not with the prefix variable or any of that nonsense.

Skipping the intel section, not relevant on Mac Mini.

Referenced guides don't include i3lock.

pkg_add i3lock

pkg_add xautolock

At the end of ~/.config/i3/config, add the following lines:

bindsym $mod+Shift+m exec i3lock -c 000000
exec --no-startup-id xautolock -time 15 -locker "i3lock -c 000000"

The first line binds mod-shift-m to lock the screen.

The second starts when i3 starts and locks your screen after 15 minutes.

That wraps it up for now. Stay tuned!

2022-02-09: Compiling SyncTERM on OpenBSD

It's taken me a little while to get around to writing up the i3 install. I'll get to that later. For now, let's take a look at getting my current favorite BBS software, SyncTERM, installed and configured for OpenBSD.

I was initially excited because a pkg_add syncterm worked. Unfortunately, the version in the repo wasn't compiled with ssh support. Annoying. I tried downloading the current .tar.gz of the release version (1.1p), but had trouble compiling. I finally got it working with the latest version in git.

References:

Meatlotion's Linux compile instructions: https://www.erb.pw/how-to-install-syncterm-for-linux-from-source/

Bugs 40, 41, and 80 from the SyncTERM bug tracker: https://sourceforge.net/p/syncterm/tickets

A lot of searching and learning about compiling in OpenBSD.

Note that I may have missed a dependency here. Shouldn't be too hard to find it.

Run this as root:

pkg_add unzip gcc git

git clone https://gitlab.synchro.net/main/sbbs.git

cd sbbs/src/syncterm

st_path=$(pwd | sed 's/\/syncterm$//g')

gmake SRC_ROOT=$sst_path

gmake install

which syncterm

It installed to /usr/local/bin/syncterm on my system. Running "syncterm -iSF" runs it full screen, stretched to fit. SSH works as you would expect.

2022-01-25: GrapheneOS

I've been messing around with various alternate Android ROMs for a long time. It's always an adventure - get root, unlock the bootloader, find the right ROM for your exact version of the device, flash it, brick it, recover it, try again, etc.

Usually I'll end up with LineageOS, without any Google services. However, after work got me a Pixel 3 for (cough) testing, I finally had a chance to try Graphene OS.

The Pixel 3 is the oldest supported device for GrapheneOS and may fall off before too long. When buying a phone for GrapheneOS, make sure you can unlock the bootloader - the carrier-provided versions don't allow this and prevent you from installing alternate ROMs. The eBay listing should mention this, or you can ask the carrier. If the IMEI starts with "3", it's a Verizon phone and definitely won't work.

All that said, installing GrapheneOS is the *easiest* alternate ROM install I've ever done. Their web-based installer is flawless. Once booted into the phone you'll find that it's extremely minimal. The first thing to do is go install F-Droid and Aurora so you can easily install other apps. The device is very smooth and the interface is visually appealing.

In terms of drawbacks, the first is that, as all of the supported devices are Pixel 3 and later, you can't buy a phone that has a MicroSD slot; you're committed to the storage on the phone and no more. The second drawback, for some users, is that since Google Play services are not installed, some apps won't work (including Microsoft Intune, if you need it for work).

I'm currently daily driving this as my "personal" phone (I need a full Android experience for work). I'll follow up in a few days with some more impressions.

2022-01-19: Mac Mini / OpenBSD dual boot install

I began the dual boot install today; the practice runs I took while waiting for the install kit for the second drive paid off. I'm going to document the actual installer steps below. My environment:

- Mac Mini 2011 (MacMini5,2) with dual SSDs, labeled DISK0 and DISK1.

- DISK0 has MacOS Catalina (dosdude1 patched).

- DISK1 is blank.

- The OpenBSD install image (install70.img) is installed on a USB stick.

- Network is connected via Ethernet.

Step-by-step process:

Insert the installer into the Mini.

Hold down the ALT key and power on the Mini.

From the boot menu, select "Windows" (which is actually OpenBSD - the boot menu is just stupid).

At the Welcome choose (i) for install.

At the keyboard layout prompt hit enter for the default.

Enter your host name.

Configure your network interface (on the Mini bge0 is the ethernet interface name).

Choose [autoconf] for IPv4.

Don't bother with IPv6.

Choose [done].

Enter the root password twice.

Set sshd to start by default.

Do you want the X Window System to be started by xenodm: yes.

Setup a user (actually enter the username here - the installer gets snarky if you enter "yes")

Enter the full name, password twice.

Allow root ssh: No.

Enter your timezone.

Select root disk: In my case it's wd1 since wd0 is the MacOS disk.

Use whole disk GPT (this is important - if you go MBR your ability to make certain changes later can be impeded.)

Accept the layout (in hindsight I think I should have modified this for more space on the EFI partition - more about this later).

Don't initialize any additional disks.

Install sets: The installer glosses over part of this; if you didn't know ahead of time that you need to remount sd0 you'll get confused about where you're supposed to find them from.

Location of sets: disk

Is the partition already mounted? No

Which disk contains the media? sd0

Which partition has the install sets? a

Pathname to the sets? 7.0/amd64

Select all (default) and choose done.

Continue without verification.

Installation begins.

Location of sets: done

Exit to Shell, Halt, or Reboot? Halt <--- This doesn't seem to work right on the Mini. Need to investigate.

Remove media, power off.

Hold ALT and power on. You'll see DISK0 (The MacOS install) and "Windows".

Boot into MacOS and make sure it still works.

While in MacOS, this is a good time to purge "Windows".

I found this related article: [Rename EFI Boot Partition "EFI Boot"](https://apple.stackexchange.com/questions/343707/rename-efi-boot-partition-efi-boot). I wanted to add the OpenBSD icon, but I didn't leave enough space on the EFI partition. *Alexa, this is so sad. Play Despacito.*

diskutil mount disk1s1
bless --folder /Volumes/NO\ NAME/efi/boot --label "OpenBSD"

Reboot, hold ALT key again, boot into OpenBSD. SUCCESS!

To do:

- Wireless

- Shutdown / Halt

- Suppress "can't read the disk" message in MacOS.

2022-01-18: Mac Mini 2011 Project

I recently picked up a Mac Mini 2011 (MacMini5,2