USB printer, USB input devices, all connected to same internal USB controller - how to securely print?

[adre...@riseup.net]

Hi,

I have an issue with a notebook. It has multiple USB controllers. 4 in
total. Also 4 ports. But every physical USB port is connected to the
same USB controller. The other USB controllers seem to be used for
"internal" stuff such as internal USB web cam. Is this usual?

In my prefered setup, the notebook is "far" away. I don't use its
internal keyboard and touchpad. Having both input devices, keyboard and
mouse, connected by USB. Now, USB printer and input devices are
connected to the same USB controller. So I cannot attach that USB
controller to an [untrusted] AppVM, because I'll otherwise (tested)
loose the ability to use the external USB input devices [as expected].

[I'll want the printer in an untrusted AppVM, because of the proprietary
required binary blob.]

https://www.qubes-os.org/doc/AssigningDevices/ says, single USB devices
cannot be assigned to AppVMs. Only whole USB controllers.

So I guess, I reached a dead end here? Gotta bite the bullet. Options
would boild down to print in dom0 [really awful idea, would defeat the
purpose of Qubes] or use another computer for printing? Or do you have
any other suggestions?

Cheers,
Patrick

[conp...@gmail.com]

As you intend to print in untrusted vm then I guess there nothing top secret. In such case there's no need to have printing facility on the same machine. I'd turn a Raspberry Pi or similar into a print server and then connect to that through a ssh tunnel (to avoid sniffing in netvm). The print server would be untrusted but could be reasonably secured from intrusions especially if it would be switched off when not in use.

[Franz]

I used network printing which works very well with Qubes, just following the official documentation. My printer was NOT a network printer, so bought a very cheap TP-Link TP-PS110U network printing adaptor. It is there from at least 3 years and only once had to reset it. Set the adapter to use a fixed IP address and everything is easy.

This setting is more secure than USB printing and, as an additional advantage, you can print also from other applVMs and from other network devices that can use a network printer, even some phones.

Best

Fran
 

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/176c5a8f-6cb1-420a-9e0d-a850df5cc08a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Rusty Bird]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Patrick,

> So I guess, I reached a dead end here? Gotta bite the bullet.
> Options would boild down to print in dom0 [really awful idea, would
> defeat the purpose of Qubes] or use another computer for printing?
> Or do you have any other suggestions?

If your notebook has a free ExpressCard slot, you could add an
external USB controller.

Rusty
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJVpSa6XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfU+UQAIN2ZrPXMIUfRVEgYVjaS4mS
lvINP9XqFb0y6cm9HAplgnM7+yp8mWJJil99F1baYXzU2tCnIJiElNVhzdsJky6v
6D8rmOo38FL36ADr84akKuVRC2s/b1Ee3J6qa+/+T8mX+CXvUlpVzkQzqYONFTEg
nk8dwCP3UcvCPNE4eBQDNaKExqIBX1hRYKceqtfawTriPYGfaKbW1bBMJlSXhNf6
x+hdF1PJ2krU2i1v9ZHR81RNZJpWpFmb6aZVkl2mW5aW6NfvtvoUSi7xNRGUJ6V7
6pXclgtTPoGi7gCQQlLJa8D53EWIYioExL5Igj8hUKdhY7rNPqlEi89B3MbC50WE
tbjYajOFJwv72gRBHNUjWfcK//artyMtd9hcmeY8ht+CnJEoQMbUyWlghNPtmseK
NOs2IcLfxeAonbUvlhtzkygGTtl3KF3me4KRkN028ga1xeL5hBTl0IrIm4ylbe/x
nsxebmPlAGgbJQfOv/xhs17CBLPuOOJXOMPrZMPK7GfyY4nCLapN1PxnKfJ2vmhd
y0oSU2cO8T6+4sYDuIaSfiB9gugy9tVjn7Wkekn0VMyzS0TweI2YoExgZMHoZQxP
1SKptkAORJcP9coTfeS6uQz+rZbmWwxBFJXKhv7zpHRBAuGtwCGbohuy+PAmJzuE
ZxoJuOa67ZSs7zx5Ans6
=wBCP
-----END PGP SIGNATURE-----

[cprise]

Thinkpads like mine appear to have 3 ports, each with a PCI device that
all reside in one controller chip. I can assign a PCI USB controller to
a VM and it will behave like a separate device. But who knows if that is
really secure.

If you absolutely have to print in dom0, then using Qubes trusted pdf
feature as an intermediary would provide some level of security. But I
think I like the idea of using network printers from domU better.

[adre...@riseup.net]

Very intersting ideas here!

On 2015-07-14 17:08, Franz wrote:
> My printer was NOT a network printer, so bought
> a very cheap TP-Link TP-PS110U network printing adaptor.

As a neglected previous detail, my printer is a combi device. Also a
scanner.

So do you own also a scanner or do you also have a combi device? And
have you got the printer to work using that adapter?

To my research, the TP-Link TP-PS110U manual says, that one needs some
Windows tool to make use of the scan function. I am hoping, I am wrong
and you got a better answer. :)

> This setting is more secure than USB printing and, as an additional
> advantage, you can print also from other applVMs and from other network
> devices that can use a network printer, even some phones.

Yes, good stuff.

Cheers,
Patrick

[Franz]

On Tue, Jul 14, 2015 at 7:54 PM, <adre...@riseup.net> wrote:

Very intersting ideas here!

On 2015-07-14 17:08, Franz wrote:

My printer was NOT a network printer, so bought
a very cheap TP-Link TP-PS110U network printing adaptor.

As a neglected previous detail, my printer is a combi device. Also a scanner.

So do you own also a scanner or do you also have a combi device?

I have a separate skypix very simple scanner http://www.aliexpress.com/wholesale?catId=0&initiative_id=SB_20150714153428&SearchText=scanner+skypix

This scanner can be connected to Qubes without having to assign the USB controller because can be attached as a block device. Also is very portable and more than enough for my needs.

 

And have you got the printer to work using that adapter?

Yes, my Samsung printer works with that. No idea about your combi printer. I vaguely remember having seen years ago a list of printers compatible with  TP-PS110U. But this is not the only network printer server available. There are plenty and newer, even wireless: http://www.aliexpress.com/wholesale?catId=0&initiative_id=SB_20150714154216&SearchText=network+printer+server

 

To my research, the TP-Link TP-PS110U manual says, that one needs some Windows tool to make use of the scan function. I am hoping, I am wrong and you got a better answer. :)

No, these devices usually have an interface accessible by your browser, so you can set it simply using firefox. You only have to write in firefox address window  the IP address of your device. No need to use Windows. But certainly with Windows there should be some installation application that  is supposed to provide some easier route to do the same.

Best

Fran

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, Jul 15, 2015 at 12:54:49AM +0200, adre...@riseup.net wrote:
> Very intersting ideas here!
>
> On 2015-07-14 17:08, Franz wrote:
> >My printer was NOT a network printer, so bought
> >a very cheap TP-Link TP-PS110U network printing adaptor.
>
> As a neglected previous detail, my printer is a combi device. Also a
> scanner.
>
> So do you own also a scanner or do you also have a combi device? And have
> you got the printer to work using that adapter?
>
> To my research, the TP-Link TP-PS110U manual says, that one needs some
> Windows tool to make use of the scan function. I am hoping, I am wrong and
> you got a better answer. :)

If you connect that combi device to some linux host (openwrt-based for
example), you can try luck with USBIP. Mine scanner does not work in
such setup (there is some awful binary driver which has problems even
when the device connected directly to that host), but maybe your would
work better.

Regarding printing over the network, it just works. Take a look at
default /rw/config/rc.local - there is example exactly for cups. You can
use that if you want to setup printing in just one dedicated VM.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJVpaSGAAoJENuP0xzK19csB9EH/iN+FL3fCkBUa2i8GRCJdaXK
svH8M2B8dtBbRxJKuGiuHljK18YtdMdIklG3AHvZXp3l2P28qxk/xyoCOiwB5XD3
lBTJIZgMRqYsg9N/KCGvHbLxNiYbkEXb1KoNZkQKwWkr0a1opsF+H9kqHgBVDPb1
AlX6HelOIC8wOZ/uHO4PZWJcZ1bi2IuFFZAOt2Esp1HZTAUPMQlZ+luTBPy1oQE4
Pd0135tRN//dyEuI1lVXXksItXLPBPtvOmJk6XY0sNBXuiU6kCH1e7ARNSJ0MbmP
2wlsTDjGM+IUAA+oBi2EvlKsc0IRg8unnvJtb/4tt/0CIRFjRveTrxEGFjf17bg=
=N/tb
-----END PGP SIGNATURE-----

[conp...@gmail.com]

On Tuesday, 14 July 2015 23:54:50 UTC+1, adre...@riseup.net wrote:
>
> As a neglected previous detail, my printer is a combi device. Also a
> scanner.

I'd still prefer a Raspberry Pi handling both printing and network scanning. See here:
http://blogs.fsfe.org/the_unconventional/2014/09/09/network-sane/

[Jeremias E.]

Hello,

The idea of using a Raspberry Pi for handling the printing and network scanning is really nice. I like it.
Thanks for sharing :-)

Best regards
  J. Eppler

[Connor Page]

Just be aware of some complications that for Qubes appvms, like there's no use for avahi service discovery.

[Patrick Schleizer]

conp...@gmail.com:

> As you intend to print in untrusted vm then I guess there nothing top
> secret.

Yes.

> In such case there's no need to have printing facility on the
> same machine.

The only sub-goal is simplicity. A separate machine, Pi etc. is still
something I prefer to avoid.

[Patrick Schleizer]

Franz:

> On Tue, Jul 14, 2015 at 7:54 PM, <adre...@riseup.net> wrote:
>> And have you got the printer to work using that adapter?
>
>
> Yes, my Samsung printer works with that. No idea about your combi printer.
> I vaguely remember having seen years ago a list of printers compatible
> with TP-PS110U. But this is not the only network printer server available.
> There are plenty and newer, even wireless:
> http://www.aliexpress.com/wholesale?catId=0&initiative_id=SB_20150714154216&SearchText=network+printer+server

Sorry. What I wanted to ask was...

And have you got the scanner part of your printer / scanner - combi
device to work using that adapter?

[Suppose you have a combi device?]

Cheers,
Patrick

[Franz]

Patrick I already wrote that I have a separate portable skypix scanner that can be attached as a block device.  So no I do not have a combi and would bet that any network printer server would be unable to receive a scanner input.

So resuming if you want to use a network printer server you should buy a separate scanner that can be attached as a block device, otherwise you customize a PI server that seems to be able to manage both printer and scanner or, finally, if you have an expresscard slot you may follow Rusty Bird advise, buy an usb controller, assign it to an applVM and use both printer and scanner with that applVM. So you have many options to enjoy.

Best

Fran

Cheers,
Patrick

[Patrick Schleizer]

Franz:

I've bought the device and gave it a try. I was naive enough to believe,
that this device would abstract and handle all the driver magic, somehow
provide a generic network printer that just works. But that is wrong?

system-config-printer now wants to know, host (IP, easy, as per
documentation), queue (which one?) and protocol, one of ipps,
AppSocket/HP JetDirect, ipp, https, ipp14, LDP/LPR. Which one is it?

Then it wants ppd file from me. But I cannot find one on the internet.
Do I have to choose the producer of my printer? It's in the list, but
the driver says "proprietary plugin required".

(To get my printer to work on Debian required using hplip and
downloading the proprietary plugin through hp-plugin.)

Cheers,
Patrick

[Franz]

I do not remember all the steps because various years passed, but certainly had to assign a fixed IP to the network server. But it was not much more.

On Qubes documentation is here https://www.qubes-os.org/doc/network-printer/

When the configuration GUI opens I select "enter URI" and write:

lpd://<address of the network server>/pl1

then I have to choose the printer model as usual

and it works easily

Best

Fran

[raah...@gmail.com]

I went with a raspberry pi, cost the same amount of money i was gonna pay for a iogear or tslink wireless print server, and i coudln't be happier with it. Got it set up for printing and scanning from untrusted and dispvms.

basic setup with my usb hp printer, just used hplip or hp-setup on the pi. system-config-printer on the qubes. using just port 631 (ipp). and works great. I also set up scanning with it which also works perfectly. I just had to install the nf_conntrack_sane module to work along with the sane control port to get through the firewall i set up on the pi. (instead of having to allow a big port range all times) These little raspberry pi things really are amazing! I'm using ssh key, a firewall, a shadow user, and basic hardening. I haven't done the tunneling thing, though it might be a good idea i figure if was to use any other network printer nothing would be secret anyways. and sys-usb isn't considered very trusted either.

Although i do wish i could make a seperate usbvm, to use temporarily for certain devices, but I always get a xenlight error and I am unable to create second usbvm no matter what I do. :(

Only thing i haven't set up yet is air print or google cloud print to print from the phones to the pi. debian dropped support for arm so no chromium available anymore for raspbian but there is a community member who has some good endorsements from some pi engineers who made a repo for it porting ubuntus chromium arm which I'm thinking of trying. I'd rather do that then use some unknown program from playstore. ( i just wish there was a way to verify the files from ubuntu)

[Axon]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Patrick Schleizer:

I don't have experience with that type of device. However, I am
successfully using a network-based (wi-fi) printer with Qubes. Basic
steps that worked in my case:

0. (Optional) Find a network printer which people report works
with Linux.
1. Download model-specific binary blobs from vendor's website.
2. Install them in (less trusted) template.
3. Start system-config-printer and enter static IP address of the
printer on my local network.
4. Print things from AppVMs based on the template.

Based on the report from Franz, I imagine the steps should be roughly
the same...
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXDwriAAoJEJh4Btx1RPV8eesQAKSa3PCcxq4+YItAKULw/mEn
ZNTzKfOWMdWGeIgkWJAQkVGEARvtKpzMPESUGDJWx+VOuKYs+FRYaUtYHlms/hE9
s5tzjzP91wboMvSf8UmfJzlmoy5aV6S2KrZXI6rZa5ob9fhBlEMhf2s6DRzdAmA8
SdbcqFDsNFTafZ74AlBW5xPkdyhSmU4lM6qjrwR15QWfIGwk18qTPa+dP2g+v/JC
sucN+drgXERb3JhjNGSrbooFBsoCFwbD9ppsfVzds0W9U+eK8tYJCEUwDI2fAF0X
D1JBpi1b/MIo/7uIBXuXvgB90kBq2f9NLcR+MlUs4veL/vqDGsegGNMEcH5GLfZD
oLwilWgN8Ry+kcKPZntRSpmF9MgaPBpvUildUt3UTp9AnvI7HJzkMCzpKnzcYEH2
jHxF4zUAuRbxmXf1UPVjhxGPBLEcPtAQMyIy+JqQHUaRfES95Fb9MpvLoN7lQb36
NMg3hQZ71IcQn3Ogf+TciFY8VmZ0Wzil0Iuaoegt6bAJ1hB+z2VXCVlFzQBYa2cT
JQsFwRPPUIX4thnwUMNbvQ0glbvyaCg1cj3S/+vgWHwqVSkFc5ZwKvu2SGvggPpq
MmH5n9oY7ihLFP0GH4sredrtrQ1gnm6+lhdwKuHTcNiqSLiy97q7MWfmzGOIjyR6
jV7BrbPEIvJNbT7wRR4G
=rcHv
-----END PGP SIGNATURE-----