Tomster/QubesOS-Scripts
1
0
Fork 0
mirror of https://github.com/tommytran732/QubesOS-Scripts synced 2025-02-20 18:21:34 -05:00
Code
26350db28f
QubesOS-Scripts/Quality of Life.md
Tommy 26350db28f
Add maim 
Signed-off-by: Tommy <contact@tommytran.io>
2025-02-19 16:33:41 -07:00

3.6 KiB
Raw Blame History

Quality of Life

LUKS Discard

By default, Qubes does not use discard with a LUKS volume. To enable discard, run:

sudo cryptsetup --allow-discards --persistent refresh LUKS-UUID-HERE

Auto login

The first login prompt after the encryption password is security theatre, so we can skip it entirely. Make /etc/lightdm/lightdm.conf.d/autologin:

[Seat:*]
autologin-user=USERNAME

S0ix sleep

On certain hardware like the Thinkpad T14 Gen 1, you need to enable S0ix sleep support for suspension to work correctly. Use the following command:

sudo qvm-features dom0 suspend-s0ix 1

Default appmenu

The default apps to show on AppVMs' menu when created can be configured with qvm-features.

Example:

sudo qvm-features fedora-41 default-menu-items 'org.gnome.Nautilus.desktop org.gnome.Ptyxis.desktop'
sudo qvm-features fedora-41 netvm-menu-items 'org.gnome.Ptyxis.desktop'

sudo qvm-features debian-12 default-menu-items 'org.gnome.Console.desktop org.gnome.Nautilus.desktop'
sudo qvm-features debian-12 netvm-menu-items 'org.gnome.Console.desktop'

Lenovo ePrivacy

Lenovo ePrivacy can be controlled through /proc/acpi/ibm/lcdshadow. I use the following shortcuts:

  • F5: sudo bash -c 'echo 1 > /proc/acpi/ibm/lcdshadow'
  • F6: sudo bash -c 'echo 0 > /proc/acpi/ibm/lcdshadow'

FIDO2 policies

The GUI configurator are missing 2 important policies needed for FIDO2 to work correctly, namely ctap.GetInfo and ctap.ClientPin.

Personally, I created /etc/qubes/policy.d/50-ctap.policy (note that I don't touch /etc/qubes/policy.d/50-config-u2f.policy to avoid it being overwritten by the GUI tool):

ctap.GetInfo    *  microsoft-edge  sys-usb  allow
ctap.ClientPin  *  microsoft-edge  sys-usb  allow

Split GPG

The GUI configurator is very broken so I don't use it. Instead, I write my own policy at /etc/qubes/policy.d/50-gpg.policy

qubes.Gpg  *  thunderbird  vault  allow

Note that I just use allow here, because the vault VM on a new Fedora 41 already prompts for confirmation, so I don't wanna have to answer yet another prompt from dom0.

qvm-screenshot-tool

sudo qubes-d0m-update maim zenity

Copy this file to /usr/local/bin in dom0. Maim is needed until this issue is resolved.

sudo chmod +x /usr/local/bin

Set the PrntSc button to run qvm-screenshot in shortcut settings.

Trivial data exfiltration prevention

One trivial way for malicious applications to exfiltrate data from an offline VM is to open a link in a disposable VM with a payload. To prevent this, open the VM settings, go to advanced and set the default disposable template to none.

Edge Dark Mode

Go to edge://flags and set "Auto Dark Mode for Web Contents" to "Enable with selective inversion of non-image elements". This reduces flashbangs a lot.

Bitwarden & Element Flatpak

These apps require the keyring to be created first to work properly. Simply open a browser like Microsoft Edge and set an empty password for the keyring before using them.

Video player

In my experience, VLC works best. Changing video output to X11 video output (XCB) reduces CPU usage by 10% on my Thinkpad P53. See this link.

If you want to use MPV, make sure that --vo=x11 --profile=sw-fast is passed as arguments. See this link.