How to manage multiple USB controllers

[David Shleifman]

The PC system has 2 USB hubs: the first one is used for USB jacks on the front panel, the second one is used for USB jacks on the rear panel. Each hub has 3 controllers:
front.OHCI0 handles first 3 USB 1.1 devices that are plugged in (nothing at the moment)
front.OHCI1 handles next 3 USB 1.1 devices that are plugged in (nothing at the moment)
front.EHCI0 handles up to 6 USB 2.0 devices that are plugged in (DVD-RW drive and flash stick at the moment)
rear.OHCI0 handles first 3 USB 1.1 devices that are plugged in (USB keyboard and USB mouse are plugged in persistently)

rear.OHCI1 handles next 3 USB 1.1 devices that are plugged in (nothing at the moment)

rear.EHCI0 handles up to 6 USB 2.0 devices that are plugged in (Web camera, and CD-RW drive are plugged in persistently)
I followed the recommendation at https://www.qubes-os.org/doc/usb/#creating-and-using-a-usb-qube. After running
[dom0]$ qubesctl top.enable qvm.sys-usb

[dom0]$ qubesctl state.highstate

all 6 controllers have been assigned to sys-usb qube. It looks like a very bad idea to mix security sensitive devices such as keyboard/mouse with other devices. Where do I go from this point?

A) Split controllers into two groups and assign each group to a different sys-usb qube? Keyboard/mouse shall end up in a first group, while other devices shall end up in the second group. Is this break down in line with the security guidelines (see https://www.qubes-os.org/doc/usb/)?


B) Stay with a single sys-usb qube and assign rear.OHCI0 controller back to dom0? Do
I need to remove "sys-usb dom0 ask" from /etc/qubes-rpc/policy/qubes.InputKeyboard? Do I need to remove
GRUB_CMDLINE_LINUX rd.qubes.hide_all_usb from /etc/default/grub ? How to instruct GRUB to hide all controllers except rear.OHCI0 ?

[Unman]

I wouldn't assign back to dom0.
There's no reason why you shouldn't adopt some variation on A, and have
different qubes handling different controllers. Of course, you'd have to
make sure that you follow a consistent pattern with use of sockets.
You could enforce this with configuration in the policy file, and by
some udev rules to block anything except storage devices in the relevant
ports.

unman

[Franz]

I am planning to do something like them with my Lenovo x230  that has a docking station with some USB ports. There should be an independent controller in the docking station.

When I detach the laptop from the docking station the second sys-usb will be unable to find its assigned controller and will give some error, but should be no problem.

Then I may use the USB controller on laptop for more dirty stuff and the controller on the docking station for connecting Trezor for bitcoin  transactions and similar more delicate tasks.

Best

Fran
 

unman

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161010132724.GC18661%40thirdeyesecurity.org.

For more options, visit https://groups.google.com/d/optout.

[raah...@gmail.com]

look at finding right usb controller. https://www.qubes-os.org/doc/assigning-devices/

If really worried about using a usb keyboard you can use a ps2 one, or get a usb to ps2 adapter.

[raah...@gmail.com]

I don't think you really have 6 controllers do you? its probably only three. ohci0, ohci1, and ehci0 On mine I have only two echi's. one is for the two low speed ports, next to the ps2 port which i use for mouse and keyboard, and is assigned to dom0. The other controller is for everything else I have in sys-usb.

On another machine with xhvi (usb3.0) everything gets routed through that one controller. the two ehvi controllers get routed through the usb 3.0 making a single controller not 3. so its either use the two controllers the same way I have on this box with xhvi disabled, or enable it then only having a single controller if wanting 3.0 speeds (using the qubes input proxy). To get 3 controllers to have seperates usb 2.0 and usb 3.0 you need to find a lga 2011 socket mobo, like an x99, and make sure the bios supports the manual routing feature.

But I haven't tested the new ability to assign separate pci devices now in the new qubes 3.2. Maybe this changes things?

[raah...@gmail.com]

again though on my one machine i opted to have a single controller so I can have 3.0 speeds, and use a usb to pci adapter for the keyboard. I'm not as concerned about the mouse, at least I hope I don't have to be lol. I use the lockscreen.

[David Shleifman]

On Oct. 10, 2016 at 9:27 AM, Unman <un...@thirdeyesecurity.org> wrote

> I wouldn't assign back to dom0.
> There's no reason why you shouldn't adopt some variation on A, and have
> different qubes handling different controllers. Of course, you'd have to
> make sure that you follow a consistent pattern with use of sockets.
> You could enforce this with configuration in the policy file, and by
> some udev rules to block anything except storage devices in the relevant
> ports.

> unman

-------------------------------------------------------------------------



Before trying either "A" or "B" direction, I've stumbled upon the following difficulty:- after booting, Xfce popes up a dialog box which invites user to log in. At this time, sys-usb hasn't started yet. That is why, the USB keyboard is not operational. In essence, it is a chicken and egg problem: in order to enter a password, the sys-usb VM shall be started; in order to start the sys-usb VM, a valid password shall be entered.



Unman> There's no reason why you shouldn't adopt some variation on AI was leaning to adopt some variation of the plan "A". Unfortunately, the experience (see previous paragraph) demonstrates that it is not possible :(



I went forward with the plan "B":
B-1) Stay with a single sys-usb qube and remove rear.OHCI0 controller from sys-usb (using Qubes VM Manager). I assume that the controller will be returned back to dom0. Is it correct?B-2) Remove "sys-usb dom0 ask,user=root" from /etc/qubes-rpc/policy/qubes.InputKeyboard.
B-3) Remove "sys-usb dom0 ask,user=root" from /etc/qubes-rpc/policy/qubes.InputMouse.

B-4) Remove rd.qubes.hide_all_usb from /etc/default/grub and run
grub2-mkconfig -o /boot/grub2/grub.cfg in dom.


With this plan in place, I am able to log in using the USB keyboard.



Further enhancements
--------------------
* In the step B-4, it would be nice to hide all USB controllers from dom0 except rear.OHCI0. How to achieve this?

Unman> Of course, you'd have to make sure that you follow a consistent pattern with use of sockets. You could enforce this with configuration in the policy file, and by some udev rules to block anything except storage devices in the relevant ports.
* How to achieve this? Is there some manual? Do you mind to share an example?


* Correct the policy in https://www.qubes-os.org/doc/usb/#how-to-use-a-usb-keyboard manual. It should be:

sys-usb dom0 ask,user=root

[raah...@gmail.com]

go with B1 man. Like I said you can get a ps2 adapter for your usb keyboard and then can have all controllers in the sys-usb if you want. But I don't think there is anything to be worried about having your keyboard in dom0. Unless you got a real sketchy kb. (anything is possible)

As for how to hide all usb controllers except the rear OHCI0, you can't unless its on a separate controller. Otherwise just add every other controller to sys-usb except the OHCI0 one. Again to make sure you are correctly identifying your controller https://www.qubes-os.org/doc/assigning-devices/ You test with a device plugged in the port to identify the controller.

You can also just go into a vm settings and click on devices to get a list. look for what says usb, to see how many controllers you actually have.

[raah...@gmail.com]

dont' do B2 you need keyboard, not sure why you want b3, with b4 that means the usb ports aint hidden from dom0 during boot like luks passphrase I think that would be security risk unless you constantly unplugging every usb device except your keyboard when you reboot.

[David Shleifman]

----- Original Message -----
From: "raah...@gmail.com" <raah...@gmail.com>
To: qubes-users <qubes...@googlegroups.com>
Cc: dim...@yahoo.com; raah...@gmail.com
Sent: Monday, October 10, 2016 4:09 PM
Subject: Re: How to manage multiple USB controllers



> I don't think you really have 6 controllers do you?

dom0$ lspci | grep USB
returns 6 PCI devices:
Bus:Device.Function

00:12.0 ... SB7x0/SB8x0/SB9x0 USB OHCI0 Controller

00:12.1 ... SB7x0 USB OHCI1 Controller

00:12.2 ... SB7x0/SB8x0/SB9x0 USB EHCI Controller
00:13.0 ... SB7x0/SB8x0/SB9x0 USB OHCI0 Controller
00:13.1 ... SB7x0 USB OHCI1 Controller

00:13.2 ... SB7x0/SB8x0/SB9x0 USB EHCI Controller


Is it 6 controllers?

> On mine I have only two echi's.
> one is for the two low speed ports, next to the ps2 port which i use for mouse and keyboard, and is assigned to dom0. The other

> controller is for everything else I have in sys-usb.

Thanks for sharing your USB topology and controller assignment. Have you been able to hide the USB controllers from dom0 as described in
https://www.qubes-os.org/doc/usb/#creating-and-using-a-usb-qube? So that lspci returns an epmty string.

> On another machine with xhvi (usb3.0) everything gets routed through that one controller. the two ehvi controllers get routed through
> the usb 3.0 making a single controller not 3.

How did you determine that the 2 EHCI(s) are routed through XHCI? What does

dom0$ lspci | grep USB
return? Does it show 3 controllers or one?

> so its either use the two controllers the same way I have on this box with xhvi disabled,

> or enable it then only having a single controller if wanting 3.0 speeds (using the qubes input proxy).

In the later case, XHCI is attached to sys-usb, and https://www.qubes-os.org/doc/usb/#attaching-a-single-usb-device-to-a-qube-usb-passthrough is employed to pass it to dom0. Is my understanding correct? Are you able to log in (after the boot) using the USB keyboard?

[raah...@gmail.com]

again,I use a ps2 keyboard. i have a little green inch long 99cent - 5 dollar adapter attached to the usb keyboard and in back of pc. on the newer computers the ps2 even hot plug n play whatever like a usb. it will re-initialize when re plugging it just like a usb as well in case you worried about something like that too. Its best practice imo for qubes. ps2 keyboard don't use a usb one.

[raah...@gmail.com]

yes more people should share their whole environment. Why be scared? I basically want qubes to be more popular. best way to learn is still word of mouth.

[raah...@gmail.com]

On Monday, October 10, 2016 at 9:21:30 PM UTC-4, David Shleifman wrote:

I determined its only two by plugging in a usb stick in all of them and seeing which controller its attached to, by following those directions.

[raah...@gmail.com]

On Monday, October 10, 2016 at 9:46:04 PM UTC-4, raah...@gmail.com wrote:

although i'm sure this is some security risk in some way haha, but they all do it now. hey it might wake your pc from bad suspend though, unless disabled in bios. might just re-initialize if not working though when re-plugging.

[David Shleifman]

> go with B1 man. Like I said you can get a ps2 adapter for your usb keyboard and then can have all controllers in the sys-usb if you
> want. But I don't think there is anything to be worried about having your keyboard in dom0. Unless you got a real sketchy kb. (anything > is possible)

> As for how to hide all usb controllers except the rear OHCI0, you can't unless its on a separate controller. Otherwise just add every
> other controller to sys-usb except the OHCI0 one. Again to make sure you are correctly identifying your controller
> https://www.qubes-os.org/doc/assigning-devices/ You test with a device plugged in the port to identify the controller.

> You can also just go into a vm settings and click on devices to get a list. look for what says usb, to see how many controllers
> you actually have.




> Like I said you can get a ps2 adapter for your usb keyboard and then can have all controllers in the sys-usb if you want.

I tried to plug the USB keyboard into a USB-to-PS2 adapter which is plugged into PS2 jack. The keyboard doesn't work this way, probably because it doesn't support I2C protocol.

> But I don't think there is anything to be worried about having your keyboard in dom0. Unless you got a real sketchy kb. (anything is possible)

I am not worried about having the keyboard (and mouse) in dom0, as they are persistently attached to 2 USB jacks at the rear panel.

> As for how to hide all usb controllers except the rear OHCI0, you can't unless its on a separate controller.

dom0$ lspci | grep USB
returns 6 USB controllers:

Bus:Device.Function
00:12.0 ... SB7x0/SB8x0/SB9x0 USB OHCI0 Controller
00:12.1 ... SB7x0 USB OHCI1 Controller
00:12.2 ... SB7x0/SB8x0/SB9x0 USB EHCI Controller
00:13.0 ... SB7x0/SB8x0/SB9x0 USB OHCI0 Controller
00:13.1 ... SB7x0 USB OHCI1 Controller
00:13.2 ... SB7x0/SB8x0/SB9x0 USB EHCI Controller

Are they 6 separate controllers?

How do I hide all controllers except the "00:12.0 ... SB7x0/SB8x0/SB9x0 USB OHCI0 Controller"?

> Otherwise just add every other controller to sys-usb except the OHCI0 one.

Yes, that is exactly what I did.

> Again to make sure you are correctly identifying your controller https://www.qubes-os.org/doc/assigning-devices/ You test with a device plugged in the port to identify the controller.

Yes, I followed this manual.

> > I went forward with the plan "B":

> > B-1) Stay with a single sys-usb qube and remove rear.OHCI0 controller from sys-usb (using Qubes VM Manager). I assume that the controller will be returned back to dom0. Is it correct?
> > B-2) Remove "sys-usb dom0 ask,user=root" from /etc/qubes-rpc/policy/qubes.InputKeyboard.
> > B-3) Remove "sys-usb dom0 ask,user=root" from /etc/qubes-rpc/policy/qubes.InputMouse.
> > B-4) Remove rd.qubes.hide_all_usb from /etc/default/grub and run grub2-mkconfig -o /boot/grub2/grub.cfg in dom.
> > With this plan in place, I am able to log in using the USB keyboard.

> dont' do B2 you need keyboard,

The policy was installed by the SALT management to allow dom0 to use rear.OHCI0 controller attached to the sys-usb VM. Given that
rear.OHCI0 controller is no longer attached to the sys-usb VM (see B-1), this policy is no longer necessary.



> not sure why you want B-3
Same reason. The policy was installed by the SALT management to allow dom0 to use rear.OHCI0 controller attached to
the sys-usb VM. Given that rear.OHCI0 controller is no longer attached to the sys-usb VM (see B-1), this policy is
no longer necessary.

Note that the rear.OHCI0 controller handles both, the keyboard and the mouse.




> With b4 that means the usb ports aint hidden from dom0 during boot like luks

> passphrase I think that would be security risk unless you constantly
> unplugging every usb device except your keyboard when you reboot.

The additional USB devices plugged persistently to this system:
o Web cam

o CD-RW drive (powered down)
o DVD-RW drive (powered down)
Is there a risk to leave Web cam plugged in?

[raah...@gmail.com]

dunno, never had a keyboard not work with a ps2 adapter.

wow! i guess you do haev 6 usb controllers. to hide them just add them all to sys-usb except for 12.0 what pc/mobo do you have out of curiosity?

I dunno what all that salt stuff means i'm a total noob. But I do know if you want to use a usb keyboard, you gonna have problems.

[raah...@gmail.com]

on my other machine though i have no problems having just one controller i use for mouse and keyboard on dom0, and other controller for everything else in sys-usb.

because i mean, well one prob i've run into is what happens if sys-usb messes up and you have no keyboard lol. I believe this is mostly a desktop pc problem, not a laptop.