Sys-usb + boot loader + keyfile on external drive?
77 views
Skip to first unread message
0mn1...@gmail.com
Aug 8, 2016, 4:16:41 PM8/8/16
to qubes-users
As the title suggests. Is it even possible to have a dedicated USB VM and still manage a Qubes setup where the bootloader and keyfile are stored on an external USB drive? Or are these two currently mutually exclusive?
Andrew David Wong
Aug 9, 2016, 12:14:32 AM8/9/16
to 0mn1...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
If I understand your question correctly, I think it should be possible by
unhiding your USB controller from dom0.
Go here: https://www.qubes-os.org/doc/usb/
And read the section: "Hide all USB controllers from dom0"
Then undo that procedure, i.e., remove "rd.qubes.hide_all_usb", then
regenerate grub.cfg.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXqVifAAoJENtN07w5UDAw2e4P/AkpSgcCdBNVxntZMB7Amd4z
jvRYL0honYrorjaEo976M5e3WsIhTzITBdTG3muWK5Pt6WF5vmVqxVSvfK14PWv1
Tr6VP3rZYoRUa1oAhSp50a5OeccPtN7Y1JoFkvjrcLwfdP5fXChy3sIf1LH1aWj7
mxYHDJfwD5qplhV35a2ZWE2kCnIq1Ip08dFTKjy4mmvHJQquKSXtCr3Vx3tyl5b/
SNWKHQKzMOOHZPiSMId0yuiSsQ2z/06Tm0B1hqh2H4yeGs6A5eTwyRiHhhrf3WBg
CRp4Qzsm0WOCx677So1XZSB+Q2nWqmnUXK+hAAfcqt2rS7Ajxrch2GVFB0t6Hhrn
GXX73IOS/ZJwVkn+c7YDbTkBqIMTQJSHySYKhRgoIUcHRZ5YLYSgP8nLqaVbRlsG
gshL3sA/zrXTr81Ic2SdCEHYspxtth4ruwKNwAISLnB98ZaBC+0B0Q+7utZ9FwX4
BZEXO1N+q/4msBhP5ro1fWJM8/9xKMWWXo6TKbOcESggXnHmXncphuyFTY5mdAbj
pH3vglRuHyN0f8LM0qttObRubsPcRC8CZF67CpjOBTKWNJ2K2cujHgei1ots9nUu
YmJqHMcmnzgTiY7rVMHHjXQsVOebgooBr2e7erUbuTtoyr+CqlsLp+3GD9X8plBA
QHqfFK6YObo8UcyZdVrQ
=BoTE
-----END PGP SIGNATURE-----
Hash: SHA512
unhiding your USB controller from dom0.
Go here: https://www.qubes-os.org/doc/usb/
And read the section: "Hide all USB controllers from dom0"
Then undo that procedure, i.e., remove "rd.qubes.hide_all_usb", then
regenerate grub.cfg.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXqVifAAoJENtN07w5UDAw2e4P/AkpSgcCdBNVxntZMB7Amd4z
jvRYL0honYrorjaEo976M5e3WsIhTzITBdTG3muWK5Pt6WF5vmVqxVSvfK14PWv1
Tr6VP3rZYoRUa1oAhSp50a5OeccPtN7Y1JoFkvjrcLwfdP5fXChy3sIf1LH1aWj7
mxYHDJfwD5qplhV35a2ZWE2kCnIq1Ip08dFTKjy4mmvHJQquKSXtCr3Vx3tyl5b/
SNWKHQKzMOOHZPiSMId0yuiSsQ2z/06Tm0B1hqh2H4yeGs6A5eTwyRiHhhrf3WBg
CRp4Qzsm0WOCx677So1XZSB+Q2nWqmnUXK+hAAfcqt2rS7Ajxrch2GVFB0t6Hhrn
GXX73IOS/ZJwVkn+c7YDbTkBqIMTQJSHySYKhRgoIUcHRZ5YLYSgP8nLqaVbRlsG
gshL3sA/zrXTr81Ic2SdCEHYspxtth4ruwKNwAISLnB98ZaBC+0B0Q+7utZ9FwX4
BZEXO1N+q/4msBhP5ro1fWJM8/9xKMWWXo6TKbOcESggXnHmXncphuyFTY5mdAbj
pH3vglRuHyN0f8LM0qttObRubsPcRC8CZF67CpjOBTKWNJ2K2cujHgei1ots9nUu
YmJqHMcmnzgTiY7rVMHHjXQsVOebgooBr2e7erUbuTtoyr+CqlsLp+3GD9X8plBA
QHqfFK6YObo8UcyZdVrQ
=BoTE
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
Aug 9, 2016, 2:41:27 PM8/9/16
to Andrew David Wong, 0mn1...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Aug 08, 2016 at 09:14:25PM -0700, Andrew David Wong wrote:
> On 2016-08-08 13:16, 0mn1...@gmail.com wrote:
> > As the title suggests. Is it even possible to have a dedicated USB VM and
> > still manage a Qubes setup where the bootloader and keyfile are stored on
> > an external USB drive? Or are these two currently mutually exclusive?
> >
>
> If I understand your question correctly, I think it should be possible by
> unhiding your USB controller from dom0.
>
> Go here: https://www.qubes-os.org/doc/usb/
>
> And read the section: "Hide all USB controllers from dom0"
>
> Then undo that procedure, i.e., remove "rd.qubes.hide_all_usb", then
> regenerate grub.cfg.
Yes, it should be possible (the way Andrew described), but keep in mind
it will be a little inconvenient:
- updates of kernel/xen will require you to somehow transfer updated
files there, are /boot will inaccessible to dom0
- it's better to disconnect that usb drive as soon as system boots, to
not expose it to potentially compromised sys-usb
The later can be eased by using Anti Evil Maid - where startup scripts
explicitly will ask you to remove the USB stick.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXqiPOAAoJENuP0xzK19csdZQH/1pKm4bXB4wRlkMZIX1eCddj
mneHqZRikcRg7GZgGYv2WoqAYvflPUK/65auyOmb9CKKRH3KvfY+UPewDm9p5k26
1y4PPqlAzFBeITkfz1S6WdMmjY/6JdWAA4ApvhLwDSJO87/+RXoQWrhu/G/Qtjvo
VWafYTP56svAxrLqjnp7NRnuCvjDwTrHL0SlxPYlTarhrHXyAs21ogGovuflYnwT
YrpHf6/qtrwSyEOWpkoGztqRkWAHU9tXlK8MK63pDGBjgD2uHl/oLFIFQLrw1Cl2
/7rAOnUTeFeCdWTPtPGJI1fwKonCiLMQ2OCRqejOjVuYTHghvvOCpecaCX63iAQ=
=ZUjP
-----END PGP SIGNATURE-----
Hash: SHA256
On Mon, Aug 08, 2016 at 09:14:25PM -0700, Andrew David Wong wrote:
> On 2016-08-08 13:16, 0mn1...@gmail.com wrote:
> > As the title suggests. Is it even possible to have a dedicated USB VM and
> > still manage a Qubes setup where the bootloader and keyfile are stored on
> > an external USB drive? Or are these two currently mutually exclusive?
> >
>
> If I understand your question correctly, I think it should be possible by
> unhiding your USB controller from dom0.
>
> Go here: https://www.qubes-os.org/doc/usb/
>
> And read the section: "Hide all USB controllers from dom0"
>
> Then undo that procedure, i.e., remove "rd.qubes.hide_all_usb", then
> regenerate grub.cfg.
it will be a little inconvenient:
- updates of kernel/xen will require you to somehow transfer updated
files there, are /boot will inaccessible to dom0
- it's better to disconnect that usb drive as soon as system boots, to
not expose it to potentially compromised sys-usb
The later can be eased by using Anti Evil Maid - where startup scripts
explicitly will ask you to remove the USB stick.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXqiPOAAoJENuP0xzK19csdZQH/1pKm4bXB4wRlkMZIX1eCddj
mneHqZRikcRg7GZgGYv2WoqAYvflPUK/65auyOmb9CKKRH3KvfY+UPewDm9p5k26
1y4PPqlAzFBeITkfz1S6WdMmjY/6JdWAA4ApvhLwDSJO87/+RXoQWrhu/G/Qtjvo
VWafYTP56svAxrLqjnp7NRnuCvjDwTrHL0SlxPYlTarhrHXyAs21ogGovuflYnwT
YrpHf6/qtrwSyEOWpkoGztqRkWAHU9tXlK8MK63pDGBjgD2uHl/oLFIFQLrw1Cl2
/7rAOnUTeFeCdWTPtPGJI1fwKonCiLMQ2OCRqejOjVuYTHghvvOCpecaCX63iAQ=
=ZUjP
-----END PGP SIGNATURE-----
0mn1...@gmail.com
Aug 9, 2016, 4:44:03 PM8/9/16
to qubes-users, 0mn1...@gmail.com
Thank you both for the insightful information. Taking into consideration all these things, which setup would you most recommend? Or does it strictly depend on usage scenarios of my machine?
1. bootloader is on a portable USB with keyfile. Qubes does not use a dedicated USB qube.
2. bootloader is on the same device as Qubes with keyfile on a portable USB. Qubes uses a dedicated USB qube.
Thinking it over, option 2 sounds the most wise as I can simply set a strong password at system boot to prevent any access to bios settings/boot options. Option 2 is most attractive due to the fact that it makes installing burner wi-fi USBs to the USB VM much easier (I am not sure just how safe it is to install a burner wi-fi to dom0 and then re-route all internet traffic through the net VM).
Andrew David Wong
Aug 10, 2016, 4:18:28 AM8/10/16
to 0mn1...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
I think it depends entirely on your threat model. For *some* users -- even
those with extremely high security needs -- putting the bootloader on a
removable device is not at all necessary. In your case, though, it might be. I
have no way of knowing. Personally, I find the protection offered by having a
dedicated USB qube to be far more important than the bootloader issue, but
your situation may not be the same as mine.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXquNMAAoJENtN07w5UDAwjqUP/R48c8KnNDOy3eeQ8SjwmDir
NRpr5EG9vgqg1nVlch7+ViH5XO832XDplfYCzImi/Ui8ahQgvYrbdt53tjMfAGI0
5XcCMhVj1UKWrrduOLZtukePViAmSCLtjSH8XnXnpM9hRexDS1sNAV9+BT3+ssbH
/apf5ft7SDJYpc2BSuhg9zuZq/3VLBRaVvhpt2Hxj2XwmmA2/4J7w5xZxz9THSA9
UKzx8C2Szm505HIb/EdrgB8KimJgbffZwqTKEWVMuzgGHVs2GmttEb0ghl7nrpOC
SuUrsAaeipQ/jsAEJMCnPBT3pD22tq941tiuUc+wwlPsHw3Y65pNpEss1Dm/u2b9
8mCcM0qIxih5e7GB1xHqnMeO4vsnopSMv3MBPEww46CTB3u3UBjbXUrpAxiZqQDu
VCq0bygotwt0kGn60TXdQmcsBAlKWKnua1RZnyraneq72WC+cnqglsLC79zVMvNk
+XhTjR71Pt+UFQKWKh1Y+BenBTvW7Bwcrv0o/kgtBrTrpdXPbRyhpiclABTHUtwD
maiicyfiCpa9v+aruNezNmEIpuTEGSdMO9gwLIgMSIwrmDsqVsgBGRnAOkKUZYA9
AeSrdg8s32UPw0l+z5m529eRLZBjt4alOVwG7e5xltWlKVUX3iExaADKgp8xrb9b
LM5eMp7sCfPgb8BboGh7
=/TKd
-----END PGP SIGNATURE-----
Hash: SHA512
those with extremely high security needs -- putting the bootloader on a
removable device is not at all necessary. In your case, though, it might be. I
have no way of knowing. Personally, I find the protection offered by having a
dedicated USB qube to be far more important than the bootloader issue, but
your situation may not be the same as mine.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
NRpr5EG9vgqg1nVlch7+ViH5XO832XDplfYCzImi/Ui8ahQgvYrbdt53tjMfAGI0
5XcCMhVj1UKWrrduOLZtukePViAmSCLtjSH8XnXnpM9hRexDS1sNAV9+BT3+ssbH
/apf5ft7SDJYpc2BSuhg9zuZq/3VLBRaVvhpt2Hxj2XwmmA2/4J7w5xZxz9THSA9
UKzx8C2Szm505HIb/EdrgB8KimJgbffZwqTKEWVMuzgGHVs2GmttEb0ghl7nrpOC
SuUrsAaeipQ/jsAEJMCnPBT3pD22tq941tiuUc+wwlPsHw3Y65pNpEss1Dm/u2b9
8mCcM0qIxih5e7GB1xHqnMeO4vsnopSMv3MBPEww46CTB3u3UBjbXUrpAxiZqQDu
VCq0bygotwt0kGn60TXdQmcsBAlKWKnua1RZnyraneq72WC+cnqglsLC79zVMvNk
+XhTjR71Pt+UFQKWKh1Y+BenBTvW7Bwcrv0o/kgtBrTrpdXPbRyhpiclABTHUtwD
maiicyfiCpa9v+aruNezNmEIpuTEGSdMO9gwLIgMSIwrmDsqVsgBGRnAOkKUZYA9
AeSrdg8s32UPw0l+z5m529eRLZBjt4alOVwG7e5xltWlKVUX3iExaADKgp8xrb9b
LM5eMp7sCfPgb8BboGh7
=/TKd
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages