What are technical/security differences between passing a flash drive via qvm-block and qvm-usb?

[daltong defourne]

Hello!

I have been using a debian-based USB-VM qube for quite some time (have to use debian, but TBH fedora is not much better), and am getting large amount of annoying "USB device stuck/fails to detach/etc etc" problems.

The issue is well-known (I've submitted a lot of logs to the relevant issue on github) but, well, I need to do something to improve my experience asap as I am likely to have a lot of USB flashdrives in my workflow pretty soon. Like, tens of attach/detach per day.

Is there enough difference between 

qvm-block -a <recepient vm> <USB-VM>:sd(x)  

and 

qvm-usb -a <recepient vm> <USB-VM>:x-y

to bother with trying to use the latter instead of the former ?

Are there any additional security implications of qvm-usb that would not be present with qvm-block?

[Chris Laprise]

qvm-block is a fully supported feature of Qubes, and its a more secure
way to use a block device. qvm-usb can expose your VMs to (more types
of) attacks by malicious devices---its risky.

OTOH, if the USB drives contain secure encrypted disk images (like .img
files using LUKS) then attaching the image files via qvm-block -A is
pretty safe.

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886