MicroSD assigned to dom0 and not to sys-usb
56 views
Skip to first unread message
468ezc+5r0...@guerrillamail.com
Aug 1, 2016, 3:35:29 PM8/1/16
to qubes...@googlegroups.com
Hi,
My MicroSD while attached is assigned to dom0 and not sys-usb as is supposed. Notwithstanding, USB devices are still assigned to sys-usb.
Is this the intended behavior? Doesn't this increases, in the same manner as usb devices does, the surface attack in dom0?
----
Sent using GuerrillaMail.com
Block or report abuse: https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D
Marek Marczykowski-Górecki
Aug 1, 2016, 3:37:16 PM8/1/16
to 468ezc+5r0...@guerrillamail.com, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Aug 01, 2016 at 07:35:26PM +0000, 468ezc+5r0fnwy87qeag via qubes-users wrote:
> Hi,
>
> My MicroSD while attached is assigned to dom0 and not sys-usb as is supposed. Notwithstanding, USB devices are still assigned to sys-usb.
>
> Is this the intended behavior? Doesn't this increases, in the same manner as usb devices does, the surface attack in dom0?
Your (micro)SD card reader is probably not a USB device, but PCI device.
Yes, it's better to assign it to some VM - sys-usb is ok. You can do
this in VM settings - "Devices" tab.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXn6TmAAoJENuP0xzK19cs6qQH/34EqTBrFg014Ckk4WJ9IOnI
b3e4XE5fAPmrsJrQMjaz2UEkKnxc6lFXM2lNAZKQUKOmRAjLrwrOCkuO4D76djCl
wZsHWSwlidTfQaPE0VLvBKpwFDq6n+VcISFCn8ClTCUI8cABpVWXCixo0QYSxrXv
/1L92zGJm8rBkjlNExgGvHnV5sKJm4oF9rSoV6ILGu/NF/Bgk3TgN0xNxPdWmuv/
ssncQZZRuRv7q8uudNgqemfdqPMp+4JnQ1befOokHCf/0K9fGtMw/kpr/lfqV5c1
f6cSl88VxN1sn/DDOeRjH1MD0+l4EIes39VFRNMuaKS0Fwa3IZP+G2iOpVEpDWU=
=gi9W
-----END PGP SIGNATURE-----
Hash: SHA256
On Mon, Aug 01, 2016 at 07:35:26PM +0000, 468ezc+5r0fnwy87qeag via qubes-users wrote:
> Hi,
>
> My MicroSD while attached is assigned to dom0 and not sys-usb as is supposed. Notwithstanding, USB devices are still assigned to sys-usb.
>
> Is this the intended behavior? Doesn't this increases, in the same manner as usb devices does, the surface attack in dom0?
Yes, it's better to assign it to some VM - sys-usb is ok. You can do
this in VM settings - "Devices" tab.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXn6TmAAoJENuP0xzK19cs6qQH/34EqTBrFg014Ckk4WJ9IOnI
b3e4XE5fAPmrsJrQMjaz2UEkKnxc6lFXM2lNAZKQUKOmRAjLrwrOCkuO4D76djCl
wZsHWSwlidTfQaPE0VLvBKpwFDq6n+VcISFCn8ClTCUI8cABpVWXCixo0QYSxrXv
/1L92zGJm8rBkjlNExgGvHnV5sKJm4oF9rSoV6ILGu/NF/Bgk3TgN0xNxPdWmuv/
ssncQZZRuRv7q8uudNgqemfdqPMp+4JnQ1befOokHCf/0K9fGtMw/kpr/lfqV5c1
f6cSl88VxN1sn/DDOeRjH1MD0+l4EIes39VFRNMuaKS0Fwa3IZP+G2iOpVEpDWU=
=gi9W
-----END PGP SIGNATURE-----
Franz
Aug 1, 2016, 5:47:26 PM8/1/16
to Marek Marczykowski-Górecki, 468ezc+5r0...@guerrillamail.com, qubes...@googlegroups.com
On Mon, Aug 1, 2016 at 4:37 PM, Marek Marczykowski-Górecki <marm...@invisiblethingslab.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Aug 01, 2016 at 07:35:26PM +0000, 468ezc+5r0fnwy87qeag via qubes-users wrote:
> Hi,
>
> My MicroSD while attached is assigned to dom0 and not sys-usb as is supposed. Notwithstanding, USB devices are still assigned to sys-usb.
>
> Is this the intended behavior? Doesn't this increases, in the same manner as usb devices does, the surface attack in dom0?
Your (micro)SD card reader is probably not a USB device, but PCI device.
Yes, it's better to assign it to some VM - sys-usb is ok. You can do
this in VM settings - "Devices" tab.
any hint to identify which is the PCI device that handles SD cards?
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXn6TmAAoJENuP0xzK19cs6qQH/34EqTBrFg014Ckk4WJ9IOnI
b3e4XE5fAPmrsJrQMjaz2UEkKnxc6lFXM2lNAZKQUKOmRAjLrwrOCkuO4D76djCl
wZsHWSwlidTfQaPE0VLvBKpwFDq6n+VcISFCn8ClTCUI8cABpVWXCixo0QYSxrXv
/1L92zGJm8rBkjlNExgGvHnV5sKJm4oF9rSoV6ILGu/NF/Bgk3TgN0xNxPdWmuv/
ssncQZZRuRv7q8uudNgqemfdqPMp+4JnQ1befOokHCf/0K9fGtMw/kpr/lfqV5c1
f6cSl88VxN1sn/DDOeRjH1MD0+l4EIes39VFRNMuaKS0Fwa3IZP+G2iOpVEpDWU=
=gi9W
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160801193709.GW32095%40mail-itl.
For more options, visit https://groups.google.com/d/optout.
Marek Marczykowski-Górecki
Aug 1, 2016, 5:59:09 PM8/1/16
to Franz, 468ezc+5r0...@guerrillamail.com, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
On Mon, Aug 01, 2016 at 06:47:21PM -0300, Franz wrote:
> On Mon, Aug 1, 2016 at 4:37 PM, Marek Marczykowski-Górecki <
> marm...@invisiblethingslab.com> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > On Mon, Aug 01, 2016 at 07:35:26PM +0000, 468ezc+5r0fnwy87qeag via
> > qubes-users wrote:
> > > Hi,
> > >
> > > My MicroSD while attached is assigned to dom0 and not sys-usb as is
> > supposed. Notwithstanding, USB devices are still assigned to sys-usb.
> > >
> > > Is this the intended behavior? Doesn't this increases, in the same
> > manner as usb devices does, the surface attack in dom0?
> >
> > Your (micro)SD card reader is probably not a USB device, but PCI device.
> > Yes, it's better to assign it to some VM - sys-usb is ok. You can do
> > this in VM settings - "Devices" tab.
> >
> >
> any hint to identify which is the PCI device that handles SD cards?
It should be something obvious - like "SD Host controler", or "SD/MMC
> On Mon, Aug 1, 2016 at 4:37 PM, Marek Marczykowski-Górecki <
> marm...@invisiblethingslab.com> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > On Mon, Aug 01, 2016 at 07:35:26PM +0000, 468ezc+5r0fnwy87qeag via
> > qubes-users wrote:
> > > Hi,
> > >
> > > My MicroSD while attached is assigned to dom0 and not sys-usb as is
> > supposed. Notwithstanding, USB devices are still assigned to sys-usb.
> > >
> > > Is this the intended behavior? Doesn't this increases, in the same
> > manner as usb devices does, the surface attack in dom0?
> >
> > Your (micro)SD card reader is probably not a USB device, but PCI device.
> > Yes, it's better to assign it to some VM - sys-usb is ok. You can do
> > this in VM settings - "Devices" tab.
> >
> >
> any hint to identify which is the PCI device that handles SD cards?
card reader".
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
5+edYlFZ7B/9rGniY2rc1yhrQbX/dtZW0Tnhi5DhRuPtuZaMal6wQJlgONTKlTKK
714K/hOYhgcvg4yia7aGm4Z/QBQegCDGWoq5hyoY3CDH6ZvladmaE0rGIWh/nuUM
x36Dv7MTWtAccxacxFFaDuQH3jLj3uM9rEUJ/x4ze1tM97qBCSsk78G0Sy1Lhoqq
dmY8I6QeNMpZPsqYckM8pgh63TgeydqHDYxxn5JRwggNwXODHFKFC4Aal48o7JKp
yLIZkyKD0Wk37xWgGfUVkzU5f+KVCtLEOQxQl7+4DUCsoRHuSKm8Z/cFjy2KwR8=
=gYi7
-----END PGP SIGNATURE-----
Jeremy Rand
Aug 2, 2016, 10:56:39 PM8/2/16
to qubes...@googlegroups.com
Marek Marczykowski-Górecki:
sys-usb would eliminate some attack vectors, since if they're assigned
to the same VM, IOMMU won't prevent software accessing the SD card from
attacking software accessing the USB devices (and vice versa). A
doomsday scenario that comes to mind is when the USB controller is being
used to connect to the Internet via a phone tether, and the SD card is
storing some high-value data. (My doomsday imagination is limited;
perhaps there are better doomsday scenarios.)
Is my intuition on this corect?
Of course, using a separate VM means increased RAM usage, which may or
may not be worth it.
Cheers,
-Jeremy Rand
> On Mon, Aug 01, 2016 at 07:35:26PM +0000, 468ezc+5r0fnwy87qeag via qubes-users wrote:
>> Hi,
>
>> My MicroSD while attached is assigned to dom0 and not sys-usb as is supposed. Notwithstanding, USB devices are still assigned to sys-usb.
>
>> Is this the intended behavior? Doesn't this increases, in the same manner as usb devices does, the surface attack in dom0?
>
> Your (micro)SD card reader is probably not a USB device, but PCI device.
> Yes, it's better to assign it to some VM - sys-usb is ok. You can do
> this in VM settings - "Devices" tab.
Seems to me that assigning the SD controller to a different VM than
>> Hi,
>
>> My MicroSD while attached is assigned to dom0 and not sys-usb as is supposed. Notwithstanding, USB devices are still assigned to sys-usb.
>
>> Is this the intended behavior? Doesn't this increases, in the same manner as usb devices does, the surface attack in dom0?
>
> Your (micro)SD card reader is probably not a USB device, but PCI device.
> Yes, it's better to assign it to some VM - sys-usb is ok. You can do
> this in VM settings - "Devices" tab.
sys-usb would eliminate some attack vectors, since if they're assigned
to the same VM, IOMMU won't prevent software accessing the SD card from
attacking software accessing the USB devices (and vice versa). A
doomsday scenario that comes to mind is when the USB controller is being
used to connect to the Internet via a phone tether, and the SD card is
storing some high-value data. (My doomsday imagination is limited;
perhaps there are better doomsday scenarios.)
Is my intuition on this corect?
Of course, using a separate VM means increased RAM usage, which may or
may not be worth it.
Cheers,
-Jeremy Rand
Marek Marczykowski-Górecki
Aug 3, 2016, 3:21:31 AM8/3/16
to jer...@veclabs.net, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
higi-value data, you should encrypt it anyway. Outside of device-facing
VM of course. Generally the VM where you (or someone else) can plug
potentially malicious device, should not be trusted.
> Of course, using a separate VM means increased RAM usage, which may or
> may not be worth it.
>
> Cheers,
> -Jeremy Rand
>
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXoZtxAAoJENuP0xzK19csKVkIAI1CNc7J08vF9WVg2ji/6eQ8
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
vcAqm+FUwQuvf09dyV+PgbfSoX2GIKsu/v41qXNuq/WgZ9qUmzsIDd+N7Kxm6SVQ
pj3dB8jPdLZoVH6YZTa/MRxZLLtglMNoNSrVKVPaBKql2vo3jQRzIva6JwBBYQLk
fRPZdVyS5movd66xpEAMsB7C67mMv0RpupfXqQ9UZbBQzGugX/+pRgZaxzFa02ol
t0nXj8Hb0COFLLxfN4XIwUFZBXuaK6cQ1lQrafYbyL6YFuC4s7A3d3Fs5er9tM1A
St526GFmtV/oWCJj+PREY+qJ6SS9dVzVmkTaFUgUqkLA63FkdIVakeqSWi1qZg8=
=FLg2
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages