Safely use USB keyboard and untrusted USB devices with only 1 USB controller?

[andr...@gmail.com]

Hi!

I use an external keyboard and mouse, both currently connected to dom0.
After reading the USB doc I wanted to add an USB qube so I could "safely"
connect other devices (like untrusted pendrives, and my smartphone to an adb
qube).

Since untrusted devices will connected to this USB qube, it should be
considered untrusted. But I think I only have one USB controller...
This mean my keyboard and mouse will need to be connected to this untrusted
qube together with untrusted devices, right?

Is it worth it to create this extra USB qube this way?

Bellow are the outputs of two commands, if anyone can help me make sure I
really have only one USB controller. I pointed the devices I identified using a
">(device name)". All my 3 USB ports were in use when I ran the commands.

# lsusb
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 003: ID 04f2:b2e3 >Internal Camera
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 002: ID 04e8:61b6 >External HDD
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 003: ID 0e6a:030c >External Keyboard
Bus 003 Device 006: ID 046d:c077 >External Mouse
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

# readlink /sys/bus/usb/devices/usb*
../../../devices/pci0000:00/0000:00:1a.0/usb1
../../../devices/pci0000:00/0000:00:1d.0/usb2
../../../devices/pci0000:00/0000:00:14.0/usb3
../../../devices/pci0000:00/0000:00:14.0/usb4

The most similar thread I found about this topic is this one:
https://groups.google.com/forum/#!searchin/qubes-users/usb|sort:relevance/qubes-users/a86st0lUgEw/2FH24xuBFAAJ
But in that case mojosam had 2 controllers.

Thanks for the attention!

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2017-03-19 13:50, andr...@gmail.com wrote:
> Hi!
>
> I use an external keyboard and mouse, both currently connected to
> dom0. After reading the USB doc I wanted to add an USB qube so I
> could "safely" connect other devices (like untrusted pendrives, and
> my smartphone to an adb qube).
>
> Since untrusted devices will connected to this USB qube, it should
> be considered untrusted. But I think I only have one USB
> controller... This mean my keyboard and mouse will need to be
> connected to this untrusted qube together with untrusted devices,
> right?
>

If your keyboard and mouse are USB devices, yes.

> Is it worth it to create this extra USB qube this way?
>

That's up to you. The pros and cons are, I think, pretty clearly laid
out on the USB page. If you have specific questions that aren't
addressed there, please feel free to ask.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYzwKEAAoJENtN07w5UDAw76kP/jnfjJ26Pgjii/N9MGz1CY4r
6naH9kikwkGtGFeNghZXPSuj5FVzzm3UwU0L2auciOkDjclNvukx29lMnrPdDR+i
V4GfEn0eiBVceyJsUyrvPFGAE9dpLQdzHn4Tzckt/kl+db1x748ErleM4QZJPaKT
h9/HIksuiQIO/9hVQzS60OQgbLY08uY2DveuKO6KVQJ3/79vwCO98SirThzdxXtA
Cuq81jXntgceCznrK76xMVgwqYnapgnQmbyueFS0ZrjEgOWddHogAXzvT7ETnVfh
ZvGtLQcviUqwLTa0R0+IMMByJrBzTlUM8VBGtCRjI00OF4CYHPGp60hJWZWTXq8F
pP1pduIMeY3scVroT7PchRxT4UifUlwMOypYHjOVsloSRrOFiRy3m4cGyYtulBa0
d7KzDlq0Av8m7nM66GfGb9E+ZLHSf9uX9EWv3Ej38VSsjmups/vcViEjj136Eg9V
O2ZZI2mKYKP8ZRSpG+8RX58GjFHAJe/umlgPdNxsP2SJXuiysVzDJslPzsb5DHMd
ksOOEnPi5qR/of2e3rFBlt/hfk2aeFzpNJcSFSNN5f7OB0RrI7jOg5C5ICcSGk9H
pfEk+muCG6J4Tn8uoIbO4IWi79erb7W+iPXo6hDYMMckopXCGZOFhRKHDW+BRdS0
nB0IzFxYQNtRNR9fg2sJ
=6k39
-----END PGP SIGNATURE-----

[Unman]

Try 'lspci|grep USB'
Alternatively, look in QubesManager on the devices tab, and see how many
Controllers are there.

unman

[Andres MRM]

Thanks for the reply, Andrew!

[2017-03-19 19:13] Andrew David Wong:

> That's up to you. The pros and cons are, I think, pretty clearly laid
> out on the USB page. If you have specific questions that aren't
> addressed there, please feel free to ask.

That's what I feared... =/

I think I have no option, for I can only forward the smartphone to an
"adb" qube if the USB controller is in a USB qube, right? (can't do that
from dom0)

Do the USB qube get reset every reboot (like a DVM)? That would reduce
the threat, I think...

And about the commands' outputs, any idea if they really mean only one
USB controller?


Thanks!

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2017-03-19 17:52, Andres MRM wrote:
> Thanks for the reply, Andrew!
>
> [2017-03-19 19:13] Andrew David Wong:
>> That's up to you. The pros and cons are, I think, pretty clearly
>> laid out on the USB page. If you have specific questions that
>> aren't addressed there, please feel free to ask.
>
> That's what I feared... =/
>
> I think I have no option, for I can only forward the smartphone to
> an "adb" qube if the USB controller is in a USB qube, right? (can't
> do that from dom0)
>

Right.

> Do the USB qube get reset every reboot (like a DVM)? That would
> reduce the threat, I think...
>

By default, no. It's probably possible to script a disposable USB qube
solution, though.

> And about the commands' outputs, any idea if they really mean only
> one USB controller?
>

I don't know for certain, but I think your machine (like the vast
majority) probably has only one USB controller.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYzzq8AAoJENtN07w5UDAwq54QAKbGoC3Q3dkT4bKYZvY3FvSx
k+25+pRAZgftPCjRBVrKMAVsINojuWlshTcCvYJrvs/Su308cD1yL+gzrZcdfpUg
wlCdDNpgr8ysC9fwRsTTjL4IkiwQHXF4DSu/YeMxKBGW2BHL9z/JISQfx3abB4Qd
XAjLFRuIWvnyrEekZyoyoszk7Ago1w+Ma7zjeSPZXf4WMLCg6YfmDWS+LU8tc/lu
+Q0ic58NQVWxozC/ORGdjEddckBcZzL30t6hRCh6HeNhEXSHPRx/qhLgABmZzMjy
v86HKl0MaCeN7DuxUQ84tnoCfuBgfZ3voZnoAkDp9Eraf4+cDp/u1615EfIH+EHX
EqJlJhs6nmcEpFc84WBiqhlG/mqpayRLEbBHOSGQ/waLFLe/CutJ6jxqSfd5IKLg
op+uq7ZK5CnwXwy03wY5NFIizxUysvkfNNZtJiAtq/nYIsPX3zfbIvWxGg2D+KkX
5O5eaawfomIRzd276/NSg1vXnOveTwdkUMGYq4jUTZpReG4pzFytx6RWrpkmGEtN
PVnHE81FNq5qEH9v9k4OHyGWGkIks1sg/8dUEb72ts6YBewBTyVHHjJ89wsvFNoY
OT7dN60jHn+OzShXaIJOWMdQvRYL3cOBQvtiiIMzRAko02bSTSShsMzJjmMTHgfH
2seJPazXbp1v/L/jbS+y
=o7d2
-----END PGP SIGNATURE-----

[Andres MRM]

Thanks for the replies, Unman and Andrew.
And sorry for not answering you before, Unman, but I only saw your
message now.

[2017-03-19 20:48] Unman:

> Try 'lspci|grep USB'
> Alternatively, look in QubesManager on the devices tab, and see how many
> Controllers are there.

# lspci|grep USB
00:14.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family USB xHCI Host Controller (rev 04)
00:1a.0 USB controller: Intel Corporation 7 Series/C216 Chipset Family USB Enhanced Host Controller #2 (rev 04)
00:1d.0 USB controller: Intel Corporation 7 Series/C216 Chipset Family USB Enhanced Host Controller #1 (rev 04)

In the devices tab of any VM I also can see these 3 controllers. But, by
the output of the other commands, it seems all my external devices are
connected to the first controller, no?
(Bus 4 and 3, that have id 00:14.0)


Regards

[cooloutac]

not sure but if its like my pc when using xhci (usb 3.0) everything goes through thaT one controller. it look like you have ehci controller too but not sure. What I do with one controller is use a usb to pci adapter for the kb. For mouse you can use the qubes proxy, not as bad as also having kb in usbvm.

[Andres MRM]

[2017-03-22 18:52] cooloutac:

> not sure but if its like my pc when using xhci (usb 3.0) everything goes
> through thaT one controller. it look like you have ehci controller too but
> not sure. What I do with one controller is use a usb to pci adapter for the
> kb. For mouse you can use the qubes proxy, not as bad as also having kb in
> usbvm.

Thanks, cooloutac!

What do you mean by "it look like you have ehci controller too"? What is it?
Can it help me?

Unfortunately my notebook has no PCI port...

[cooloutac]

ehci is for older usb protocol. xhci is for 3.0, maybe there is option in bios to disable usb 3.0. then maybe it will have separate routed controllers? Thats how it works on my desktop pc. otherwise all controllers get routed through the xhci one. but then you will be giving up usb 3.0, but maybe worth it not to have kb in sys-usb.

[Andres MRM]

> ehci is for older usb protocol. xhci is for 3.0, maybe there is option in
> bios to disable usb 3.0. then maybe it will have separate routed
> controllers? Thats how it works on my desktop pc. otherwise all controllers
> get routed through the xhci one. but then you will be giving up usb 3.0,
> but maybe worth it not to have kb in sys-usb.

Thanks, cooloutac! I checked my BIOS, but couldn't find an option to disable
USB 3.0. =/

[cooloutac]

what about using the internal kb, no good?

[Andres MRM]

[2017-03-26 21:14] cooloutac:

> what about using the internal kb, no good?

No... I'm using an ergonomic one. It wasn't cheap, it's very different from a
common one and it took me months to get used to it. =P

[cooloutac]

so I guess just take your chances with it on the usb qube. I do it with mouse never seen anything weird happen. a wireless mouse too. although I probably should put lock screen on I just realized I don't even have it on.

[Vít Šesták]

Well, are you sure that the vast majority of computers have just one USB controller? I find it pretty common even now to have both USB 2 and USB 3 ports. Well, my laptop (though it is quite older) has separate USB2 and USB3 with separate controllers. But maybe today's laptops have both USB2 and USB3 ports handled by the same controller, I don't know.

DVM for sys-usb would be cool, but I don't think it is possible today. The main challenge is probably to attach a PCI device to DVM. Well, maybe if you clone/tune qfile-daemon-dvm or related files… After you attach the USB controller to the DVM, you have essentially won; you will probably need just to upload and run some script (for starting the input proxy) to the USBDVM. Thos should be trivial, compared to attaching the USB device.

I understand why you want an external ergonomic keyboard. I also have one and I wouldn't want to switch back…

Regards,
Vít Šesták 'v6ak'

[Andres MRM]

Thanks for the replies!

[2017-03-27 22:13] cooloutac:

> so I guess just take your chances with it on the usb qube. I do it with
> mouse never seen anything weird happen. a wireless mouse too. although I
> probably should put lock screen on I just realized I don't even have it on.

I setup an USB qube. It's working well, for now. =)

[2017-03-28 04:03] Vít Šesták:

> DVM for sys-usb would be cool, but I don't think it is possible today. The
> main challenge is probably to attach a PCI device to DVM. Well, maybe if you
> clone/tune qfile-daemon-dvm or related files… After you attach the USB
> controller to the DVM, you have essentially won; you will probably need just
> to upload and run some script (for starting the input proxy) to the USBDVM.
> Thos should be trivial, compared to attaching the USB device.

Is there any difference between using a DVM as USB qube, or just recreating
the USB qube when needed (e.g.: after using an untrusted pen drive)?


Best regards

[Vít Šesták]

Recreating the USB qube (or better: restoring the Qube from backup) sounds like a good alternative to USB-DVM. It should achieve more-or-less the same, depending on how often you restore if from backup etc.

[Vít Šesták]

So, I've created DVM-like sys-usb and it the first working version was easier than I thought. Just make /var/lib/qubes/servicevms/sys-usb/private.img an empty file. I have renamed the original file and performed "touch private.img".

VM sys-usb then still boots and works as USB input proxy. It does not run X11 apps until I create+chown /home/user and perform systemctl restart qubes-gui-agent.service, but it does not matter so much.

Regards,
Vít Šesták 'v6ak'

[Andres MRM]

[2017-05-23 15:18] Vít Šesták:

> So, I've created DVM-like sys-usb and it the first working version was easier than I thought. Just make /var/lib/qubes/servicevms/sys-usb/private.img an empty file. I have renamed the original file and performed "touch private.img".
>
> VM sys-usb then still boots and works as USB input proxy. It does not run X11 apps until I create+chown /home/user and perform systemctl restart qubes-gui-agent.service, but it does not matter so much.

Thanks for the tip! I did it and hope it's working.
But now sometimes I need to "replug" mouse or/and keyboard after boot for them
to work...

[oak...@gmail.com]

Hi, having problems creating sys-usb and want to use a usb keyboard, usb mouse, and a usb flash drive with the computer, that's it. What would be the most secure setup for that in terms of where to assign my usb devices too? Qubes page says using an Untrusted Qube for them is the most secure, but I don't know what that is and how it differs from a Disposable VM.

[awokd]

oak...@gmail.com:

> Hi, having problems creating sys-usb and want to use a usb keyboard, usb mouse, and a usb flash drive with the computer, that's it. What would be the most secure setup for that in terms of where to assign my usb devices too? Qubes page says using an Untrusted Qube for them is the most secure, but I don't know what that is and how it differs from a Disposable VM.
>

sys-usb is an Untrusted Qube. I think in that context the only trusted
Qube is dom0. A disposable VM is one that keeps no state information
between boots, and always reverts to its original definition. You can
combine the two and make a disposable sys-usb.

Are you following the steps in https://www.qubes-os.org/doc/usb-qubes/
to make a sys-usb?