qvm-block and qvm-usb implementation

86 views
Skip to first unread message

Drolo

unread,
Jan 2, 2018, 2:40:33 PM1/2/18
to qubes...@googlegroups.com
Hi,
I'm interested in how qvm-block and qvm-usb are implemented and in which way they interact in the USB drive case. Here is what i discovered about PCI Passthrough and USB Passthrough:
From [0] I read that Qubes OS uses VT-d (through [3] and [5]) to isolate networking and USB controllers in domains. In fact lspci (in dom0) states that the pciback driver is associated with those PCI devices. So dom0 handles only the passthru, nothing more.
[6] states that it's not possible to assign a single USB devices to a domain, because VT-d design. However I think that it's not updated because qubes-usb-proxy ([2]). From [7] and [8] I deduced that qvm-usb uses PVUSB ([4]) to passthru single USB device.
From [1] I read that qvm-block uses Xen block backed hosted in the UsbVM. Initially I didn't find what it refers to. Then I found xl block-attach command (from [2]). So I found [10] and [11].

So I concluded:
- qvm-usb uses PVUSB. However Qubes OS's xl doesn't seems to implement usb-list and related.
- qvm-pci uses Xen PCI passthru. So xl pci-attach and related.
- Specifically for network: xl network-attach. From [2] I read that because [12] the attack surface is smaller in guest domain. So the security benefit.
- qvm-block uses xl block-attach and related.
- qvm-block is independent from qvm-usb, after that the guest domain detect the drive.

Are these conclusions correct?

Drolo

unread,
Jan 3, 2018, 2:34:31 AM1/3/18
to qubes...@googlegroups.com
Hi,
I'm interested in how qvm-block and qvm-usb are implemented and in which way they interact in the USB drive case. Here is what i discovered about PCI Passthrough and USB Passthrough:
From [0] I read that Qubes OS uses VT-d (through [3] and [5]) to isolate networking and USB controllers in domains. In fact lspci (in dom0) states that the pciback driver is associated with those PCI devices. So dom0 handles only the passthru, nothing more.
[6] states that it's not possible to assign a single USB devices to a domain, because VT-d design. However I think that it's not updated because qubes-usb-proxy ([2]). From [7] and [8] I deduced that qvm-usb uses PVUSB ([4]) to passthru single USB device.
From [1] I read that qvm-block uses Xen block backed hosted in the UsbVM. Initially I didn't find what it refers to. Then I found xl block-attach command (from [2]). So I found [10] and [11].

So I concluded:
- qvm-usb uses PVUSB. However Qubes OS's xl doesn't seems to implement usb-list and related.
- qvm-pci uses Xen PCI passthru. So xl pci-attach and related.
- Specifically for network: xl network-attach. From [2] I read that because [12] the attack surface is smaller in guest domain. So the security benefit.
- qvm-block uses xl block-attach and related.
- qvm-block is independent from qvm-usb, after that the guest OS detect the drive.

Marek Marczykowski-Górecki

unread,
Jan 3, 2018, 2:38:58 AM1/3/18
to Drolo, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Tue, Jan 02, 2018 at 02:40:16PM -0500, 'Drolo' via qubes-devel wrote:
> Hi,
> I'm interested in how qvm-block and qvm-usb are implemented and in which way they interact in the USB drive case. Here is what i discovered about PCI Passthrough and USB Passthrough:
> From [0] I read that Qubes OS uses VT-d (through [3] and [5]) to isolate networking and USB controllers in domains. In fact lspci (in dom0) states that the pciback driver is associated with those PCI devices. So dom0 handles only the passthru, nothing more.
> [6] states that it's not possible to assign a single USB devices to a domain, because VT-d design. However I think that it's not updated because qubes-usb-proxy ([2]). From [7] and [8] I deduced that qvm-usb uses PVUSB ([4]) to passthru single USB device.
> From [1] I read that qvm-block uses Xen block backed hosted in the UsbVM. Initially I didn't find what it refers to. Then I found xl block-attach command (from [2]). So I found [10] and [11].
>
> So I concluded:
> - qvm-usb uses PVUSB. However Qubes OS's xl doesn't seems to implement usb-list and related.
> - qvm-pci uses Xen PCI passthru. So xl pci-attach and related.
> - Specifically for network: xl network-attach. From [2] I read that because [12] the attack surface is smaller in guest domain. So the security benefit.
> - qvm-block uses xl block-attach and related.
> - qvm-block is independent from qvm-usb, after that the guest domain detect the drive.
>
> Are these conclusions correct?

Almost: qvm-usb uses USBIP over qrexec instead of IP. Some details are
here:
https://github.com/QubesOS/qubes-app-linux-usb-proxy

Other points are correct.

> [0] = https://www.qubes-os.org/attachment/wiki/QubesArchitecture/arch-spec-0.3.pdf
> [1] = https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf
> [2] = https://www.qubes-os.org/doc/usb/
> [3] = https://wiki.xenproject.org/wiki/Xen_PCI_Passthrough
> [4] = https://wiki.xenproject.org/wiki/Xen_USB_Passthrough
> [5] = https://wiki.xenproject.org/wiki/Driver_Domain
> [6] = https://www.qubes-os.org/doc/assigning-devices/
> [7] = https://github.com/QubesOS/qubes-issues/issues/2144
> [8] = https://github.com/QubesOS/qubes-issues/issues/531
> [9] = https://www.qubes-os.org/doc/dom0-tools/qvm-block/
> [10] = https://xenbits.xen.org/docs/4.6-testing/man/xl.1.html
> [11] = https://xenbits.xen.org/docs/4.6-testing/misc/xl-disk-configuration.txt
> [12] = https://wiki.xenproject.org/wiki/Xen_Networking
>

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlpMiIsACgkQ24/THMrX
1yxQ1wf/duCpjccBCaPsF2u7RzghzITDpV50RSo/TMvyHXM/z2JRcE8oHj+XBMed
avhpIjRiNYl6BNEKC/qQYzPTS/y5V4sZLSTzVHytQoTM6uK1OVyS1s0JS+SuFyeC
MilA3T1kyEOsjWH7PEOq5v63DLuSs4D3cBQIzTKtvWLbEKh8LnTCzXvn1+eGtwYQ
xKV+W0D4RDXyXcl1RDZQqF0fGle2nQIhtB8+HdvDEhqseFQKjACUHyPFqlY2TacI
WLaBhACrIsMHWGqEB/nIWVqkR7fzjvicH4wD8lD6FYt+UCLXwiC5csE7ajlLTVBn
IVMMo4CJndztpNBM/gTP5ntt3jJD9Q==
=UteK
-----END PGP SIGNATURE-----

Drolo

unread,
Jan 3, 2018, 9:42:44 AM1/3/18
to Marek Marczykowski-Górecki, qubes...@googlegroups.com
Thanks!

-------- Original Message --------
Subject: Re: [qubes-devel] qvm-block and qvm-usb implementation
Local Time: 3 gennaio 2018 8:38 AM
UTC Time: 3 gennaio 2018 07:38

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
On Tue, Jan 02, 2018 at 02:40:16PM -0500, 'Drolo' via qubes-devel wrote:
Hi,
I'm interested in how qvm-block and qvm-usb are implemented and in which way they interact in the USB drive case. Here is what i discovered about PCI Passthrough and USB Passthrough:
From [0] I read that Qubes OS uses VT-d (through [3] and [5]) to isolate networking and USB controllers in domains. In fact lspci (in dom0) states that the pciback driver is associated with those PCI devices. So dom0 handles only the passthru, nothing more.
[6] states that it's not possible to assign a single USB devices to a domain, because VT-d design. However I think that it's not updated because qubes-usb-proxy ([2]). From [7] and [8] I deduced that qvm-usb uses PVUSB ([4]) to passthru single USB device.
From [1] I read that qvm-block uses Xen block backed hosted in the UsbVM. Initially I didn't find what it refers to. Then I found xl block-attach command (from [2]). So I found [10] and [11].
So I concluded:
  • qvm-usb uses PVUSB. However Qubes OS's xl doesn't seems to implement usb-list and related.
  • qvm-pci uses Xen PCI passthru. So xl pci-attach and related.
  • Specifically for network: xl network-attach. From [2] I read that because [12] the attack surface is smaller in guest domain. So the security benefit.
  • qvm-block uses xl block-attach and related.
  • qvm-block is independent from qvm-usb, after that the guest domain detect the drive.
    Are these conclusions correct?
     
    Almost: qvm-usb uses USBIP over qrexec instead of IP. Some details are
    here:
     
    Other points are correct.
     
     

    Best Regards,
    Marek Marczykowski-Górecki
    Invisible Things Lab
    A: Because it messes up the order in which people normally read text.
    Q: Why is top-posting such a bad thing?
    -----BEGIN PGP SIGNATURE-----
     
    iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlpMiIsACgkQ24/THMrX
    1yxQ1wf/duCpjccBCaPsF2u7RzghzITDpV50RSo/TMvyHXM/z2JRcE8oHj+XBMed
    avhpIjRiNYl6BNEKC/qQYzPTS/y5V4sZLSTzVHytQoTM6uK1OVyS1s0JS+SuFyeC
    MilA3T1kyEOsjWH7PEOq5v63DLuSs4D3cBQIzTKtvWLbEKh8LnTCzXvn1+eGtwYQ
    xKV+W0D4RDXyXcl1RDZQqF0fGle2nQIhtB8+HdvDEhqseFQKjACUHyPFqlY2TacI
    WLaBhACrIsMHWGqEB/nIWVqkR7fzjvicH4wD8lD6FYt+UCLXwiC5csE7ajlLTVBn
    IVMMo4CJndztpNBM/gTP5ntt3jJD9Q==
    =UteK
    -----END PGP SIGNATURE-----
     

    You received this message because you are subscribed to the Google Groups "qubes-devel" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel...@googlegroups.com.
    To post to this group, send email to qubes...@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.

    Reply all
    Reply to author
    Forward
    0 new messages