Printing and scanning with Qubes - a love story

[Jean-Philippe Ouellet]

Hello fellow Qubesers,

Qubes continues to make me feel all warm and fuzzy inside, and makes
me want to share it with the world.

I've been quite busy with real-world things recently and had to use
several different printers & scanners. Prior experience has
conditioned me to expect frustration, or at least annoyance.

On windows I have memories of disabling driver signature enforcement,
installing some big printer "drivers" from totally unauthenticatable
sources, which then actually come with bloated desktop applications
with features like "scan with your webcam". (Hello scanner company: if
that worked well, then nobody would buy your scanners or install their
drivers!) Oh, and the fancy ink level reporting dialogues saying
things like "You have -60012% cyan ink left! Click <dead link> to buy
more now!" - those are great.

On OS X I remember the days of force-killing the printer app as the UI
blocks indefinitely while waiting for a reply from the printer which
isn't coming. Or the network printer which somehow gets a different
DHCP lease every day resulting in a list of 20 saved printers
"helpfully" auto-discovered and persisted, all with the same name, all
indistinguishable in the UI, but only one of which actually works.

On various Linuxes & *BSDs, I remember wrestling for days on every
install to get lpd and cups working, and then dealing with differences
in postscript parsers causing messed up formatting, and stupid udev
rules running things of massive complexity as root so that your
scanner would have a really easy time if it wanted to compromise
you... *sigh*

On Qubes, it's a completely different story. First, I pass my USB
printer or scanner through to a DispVM. To print, I just copy the file
to the DispVM, open it with anything, and print it, and the printer is
automatically found and "just works" (thanks Fedora). To scan: I pass
the printer to a DispVM, open simple-scan, click the scan button, and
it just works! When I'm happy with my scan, I copy it out of the
DispVM and then convert to trusted PDF! So far every printer or
scanner just works the first time, I haven't needed to look under the
hood for anything.

With sys-usb, DispVMs, and convert-to-trusted-pdf I feel reasonably
confident that if the printers or scanners were malicious, the worst
they could do is mutate my documents or store them for later retrieval
by an adversary (which is an inherent problem with any commodity
printer and totally unrelated to the OS used to interface with). This
would be even more true with a stateless laptop without any persistent
mutable firmware for the USB controllers, and when sys-usb can act
like a DispVM itself without hacks (R4?).

Qubes may be far from my theoretically ideal OS, but it absolutely
hits a pragmatic sweet spot improving security *and* usability
simultaneously.

Might I dare re-purpose a colored slogan and say Qubes is truly
"making computers great again"? :P

Sincerely,
Jean-Philippe


</rant> Now back to work...

[cooloutac]

I do a network printer for convenience, this way I don't have to pass anything or transfer anything. if in appvm just right click and open file in the dispvm to print. increases usability and possibly security, but reduces privacy.

[js...@riseup.net]

Jean-Philippe Ouellet:

> On Qubes, it's a completely different story. First, I pass my USB
> printer or scanner through to a DispVM. To print, I just copy the file
> to the DispVM, open it with anything, and print it, and the printer is
> automatically found and "just works" (thanks Fedora). To scan: I pass
> the printer to a DispVM, open simple-scan, click the scan button, and
> it just works! When I'm happy with my scan, I copy it out of the
> DispVM and then convert to trusted PDF! So far every printer or
> scanner just works the first time, I haven't needed to look under the
> hood for anything.
>
> With sys-usb, DispVMs, and convert-to-trusted-pdf I feel reasonably
> confident that if the printers or scanners were malicious, the worst
> they could do is mutate my documents or store them for later retrieval
> by an adversary (which is an inherent problem with any commodity
> printer and totally unrelated to the OS used to interface with). This
> would be even more true with a stateless laptop without any persistent
> mutable firmware for the USB controllers, and when sys-usb can act
> like a DispVM itself without hacks (R4?).

Hi,

I've been having some problems with this myself. Specifically, I'm not
sure how to pass my USB printer to an appVM. The only thing I can see to
do is to attach my whole USB controller to a VM, but I'm pretty sure if
I do that I'll lose my input devices (USB keyboard and mouse) and not be
able to control the system.

Do you have to have a usbvm (sys-usb) in order to get this to work?

My appVMs are based on a debian-8 template, if that matters.

[Jean-Philippe Ouellet]

See https://www.qubes-os.org/doc/usb/#attaching-a-single-usb-device-to-a-qube-usb-passthrough

> Do you have to have a usbvm (sys-usb) in order to get this to work?

Yes.

> My appVMs are based on a debian-8 template, if that matters.

I'm not aware of any debian-specific issues with USB passthrough,
although I have not tried it myself either.

[js...@riseup.net]

Jean-Philippe Ouellet:

Thanks for the reply! I had seen that documentation, but I was hoping
there was another way to do it.

It looks like I can't create a usbvm, because I'm using a desktop
computer with no PS/2 ports and only one USB controller, and so I need
my USB controller in dom0 to use my keyboard and mouse.

Am I wrong about that? If not, it looks like I'm hosed as far as USB
printers are concerned. Oh well. Qubes is still worth it anyway, and I
can always copy files over to my other machine via USB stick when I need
to print something.

[Patrik Hagara]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Well, it is possible... However, you have to fully understand all the
security implications -- the USB VM will have full access to your
keyboard and mouse, able to intercept or fake key presses and mouse
movement.

The docs recommend using two-factor authentication for logging into
dom0 (eg. with a Yubikey or similar device) in order to prevent the
(potentially compromised) USB qube from detecting when you lock your
screen and walk away, then unlocking the screen with a captured
passphrase and doing nefarious things. Additionally, you need to be
constantly on the lookout for any "weird" keyboard activity even while
using the computer -- and some of it might be (so fast as to be)
invisible...

Should you decide to proceed with USB qube setup anyway, you will need
to make sure you *do not* use "rd.qubes.hide_all_usb" kernel param as
otherwise you won't be able to enter your disk passphrase during boot.

Additionally, you will have to set an auto-accept policy for
qubes.InputKeyboard and qubes.InputMouse RPC calls coming from the USB
qube *before* creating the USB qube (as otherwise you'd lose all input
methods as soon as the USB qube is started).

Other than that, all the steps are detailed in the doc article already
linked by Jean-Philippe.


Cheers,
Patrik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZcgo0AAoJEFwecd8DH5rl1FkP/0o1/kW9nObXuc2H+x0s6lYB
ciMEdUmaybzFrcQYT4LqtZ5ukb+6aFF8yz3fQNkU1PpoXzg/FXcELIMFSf7Uzsr3
gqb2K+vk/pplJt+UG2EQKw3zVmqoXiE9rXxOtKbqa+qTOei3/RqWECfY5ZbGIcWy
sDMf6KXl0UT4Q19aBbpbZkJZzBE8K/EHLvRFvyvsHOvPMH/g1mDe18u5U2aA/onK
B/XEukk+RvSXf5/XYQwzmPOcVB+YT3GVA5YCZ0fusFo8eSbnnWtWPDgjESXCqd2C
7wSuglgMcYM26YHxfoOWr/y5IaliqLfqYswVwbgoOyAfuarSPEys0cJ8FxCsCha4
kpzNePvUD04/TfvroLoNmks5BMi6KG4hWx+9gZkiraFZN26W4mYJuPRKY6W+hXuI
QCyCA56s1lfyOw1rbDH8YlGuZwXb434WhBVQDQNv3h27oC3b8cIr8AQwqlLomkB4
Zo86PaAcqgmKya8gL0CXvEXM/1ZZM4yihpedSupb/wGxvv34zKeRVYjLCuprxJaF
+1XdWzt1DIdK2s9F5r1ZXcSiK/K/ps3fw/CXSVTeNaLgsTHXSJUnd2GygZf+wGl1
z4my1j+ZYRwDnGf5Zmn7R+dTuPjkyVgU9T7bZZ0giiwl3V7Rk1LX1Pc5o7dJL0de
NVEQtar1OeRGUPJl9XWz
=W1Ji
-----END PGP SIGNATURE-----

[Patrik Hagara]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/21/2017 04:05 PM, Patrik Hagara wrote:
>> Qubes is still worth it anyway, and I can always copy files over
>> to my other machine via USB stick when I need to print
>> something.

This might be a pretty nice attack vector for the "other machine" to
compromise your Qubes system.

Say you buy (assumed clean) USB stick, connect it to your Qubes system
(which is not using USB VM), format it and copy some documents to
it... Then you plug the stick into your non-Qubes system and print the
docs. That machine might be infected and in turn infect the USB stick.
Now the next time you connect it to your Qubes system, it gets
infected as well.

Game over.

Please note that this scenario is not at all far-fetched -- malware
routinely spreads via removable media. Plus, it's the perfect way of
bridging air-gaps (see eg. Stuxnet for a high-profile malware example).

This might make you think really hard about the trade-offs between
keyboard/mouse security (detailed in my previous e-mail) and not
having an USB VM at all.

Cheers,
Patrik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZcgytAAoJEFwecd8DH5rlduAQALFUikMKDoImmPYz/VA6j/v4
uSILCPfXbc7OY9GAjUK/In9RIBxJMGPvIEpvUHorHEkb1lcmKIRwQYl0BlIYuz6u
+To8rtNMiToPqL336w+Kt9vVYSl5gZFtYOHbjxZ7boz6fGxh/C1ZwspPjeAE8Plz
R9ieG5KI9V+Inqs2FoSxYoxjBBLpCpeoPZ/mpIQtQRtDpApCqgHJdeynvFGy9Lw2
AJIyIvzhX74uUARO0P3QjnvrZE7RoOag8STFr1ZvzEHXf0UIgEhWratQAONE8h/2
BoLYJIP68vUwoaV/M4ZigFVPErLHLH18O+Cl06xbsUh1a8E9sdAAZbAQWF4pyGbY
Aaqqil4BoYQWpfVRZwz+Vp1MBHzm441neR0Jb+1PHCtPSRiN33QUWhvUBQnQp3K9
2JlwqXbmoyyAWk4mpc+wTPI15BeQvjED9LvIqwtWPa+t6RQNwrvXKeV7+YGtwaFm
cysN9Jb17jIbcr7O3HafeuRGpyzaB/utB+GJvB+RYkMzwwYkbxZxSsJIhbG0N0UP
XPCzVtA4lMerqZNUhTQyylR4Q9S9R+qdPevkWpDBNUxBt44887XNArI4nI6tmXuB
y0phFp2pEFfbjmH5CrOJ4oms6PObjtwFgTcPNg1OxrjbMHaC21ctJ+kt1Ra0ZSvV
8jmxrVMuYq0cXIdWOs3s
=e9G4
-----END PGP SIGNATURE-----

[Franz]

On Fri, Jul 21, 2017 at 10:28 AM, js...@riseup.net <js...@riseup.net> wrote:

Jean-Philippe Ouellet:
> On Thu, Jul 20, 2017 at 12:32 PM, js...@riseup.net <js...@riseup.net> wrote:
>> Hi,
>>
>> I've been having some problems with this myself. Specifically, I'm not
>> sure how to pass my USB printer to an appVM. The only thing I can see to
>> do is to attach my whole USB controller to a VM, but I'm pretty sure if
>> I do that I'll lose my input devices (USB keyboard and mouse) and not be
>> able to control the system.
>
> See https://www.qubes-os.org/doc/usb/#attaching-a-single-usb-device-to-a-qube-usb-passthrough
>
>> Do you have to have a usbvm (sys-usb) in order to get this to work?
>
> Yes.

Thanks for the reply! I had seen that documentation, but I was hoping
there was another way to do it.

Just buy yourself a cheap network printer adapter that will transform your printer in a network printer. Then you follow Qubes tutorial for a network printer, which is the canonical way to print under Qubes.

Why complicate your life when it can be simple?

Best

Fran
 

It looks like I can't create a usbvm, because I'm using a desktop
computer with no PS/2 ports and only one USB controller, and so I need
my USB controller in dom0 to use my keyboard and mouse.

Am I wrong about that? If not, it looks like I'm hosed as far as USB
printers are concerned. Oh well. Qubes is still worth it anyway, and I
can always copy files over to my other machine via USB stick when I need
to print something.

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7d834cf9-7e7f-36d6-eca4-3b4b2a96b2e2%40riseup.net.

For more options, visit https://groups.google.com/d/optout.

[js...@riseup.net]

Patrik Hagara:

Oh so basically the instructions in the documentation
(https://www.qubes-os.org/doc/usb/) for using USB keyboard and mouse can
be done before creating the usb qube? Just edit the qubes.InputKeyboard
and qubes.InputMouse files as the documentation says, and put in the
name of the usb qube I'm going to create, and then create the usb qube
(using the qubesctl commands at the top of that page)?

I'll have to think about whether I want to do that. It's definitely more
of a security risk, and I don't know if I want to get a Yubikey and
bother with two-factor authentication. Though really it should still be
more secure than using a regular Linux distro, right? Since the same
attack vector is available in that case as well, plus a lot more?

I'm just not sure that I trust enough that I know what I'm doing to not
mess things up and then not be able to use my system!

-Jackie

[js...@riseup.net]

Patrik Hagara:

> On 07/21/2017 04:05 PM, Patrik Hagara wrote:
>>> Qubes is still worth it anyway, and I can always copy files over
>>> to my other machine via USB stick when I need to print
>>> something.
>
> This might be a pretty nice attack vector for the "other machine" to
> compromise your Qubes system.
>
> Say you buy (assumed clean) USB stick, connect it to your Qubes system
> (which is not using USB VM), format it and copy some documents to
> it... Then you plug the stick into your non-Qubes system and print the
> docs. That machine might be infected and in turn infect the USB stick.
> Now the next time you connect it to your Qubes system, it gets
> infected as well.
>
> Game over.
>
> Please note that this scenario is not at all far-fetched -- malware
> routinely spreads via removable media. Plus, it's the perfect way of
> bridging air-gaps (see eg. Stuxnet for a high-profile malware example).
>
> This might make you think really hard about the trade-offs between
> keyboard/mouse security (detailed in my previous e-mail) and not
> having an USB VM at all.
>
>
> Cheers,
> Patrik

Yep that's definitely a concern. And usb sticks can be compromised
straight out of the box even. Clearly the ideal solution is to use a
PS/2 mouse and keyboard (or just using a laptop as long as the mouse and
keyboard connect internally via PS/2), but unfortunately that's not
really an option for me.

And I'm going to have to transfer files back and forth between these two
systems anyway, one way or another. This is even more problematic
because my other system is Linux/Windows dual boot, so my Linux OS is
really only as secure as Windows!

Though I guess using an online file upload service is an option too, but
I might have problems when I need to transfer 40GB of files!

If I'm going to have to use usb sticks anyway, then it seems like
there's really no point in creating the usb qube and exposing myself to
that additional attack vector in qubes.

Thanks for your help though!

-Jackie

[js...@riseup.net]

Franz:

> On Fri, Jul 21, 2017 at 10:28 AM, js...@riseup.net <js...@riseup.net> wrote:
>>>>
>>>> I've been having some problems with this myself. Specifically, I'm not
>>>> sure how to pass my USB printer to an appVM. The only thing I can see to
>>>> do is to attach my whole USB controller to a VM, but I'm pretty sure if
>>>> I do that I'll lose my input devices (USB keyboard and mouse) and not be
>>>> able to control the system.
>>>
>>> See https://www.qubes-os.org/doc/usb/#attaching-a-single-usb-
>> device-to-a-qube-usb-passthrough
>>>
>>>> Do you have to have a usbvm (sys-usb) in order to get this to work?
>>>
>>> Yes.
>>
>> Thanks for the reply! I had seen that documentation, but I was hoping
>> there was another way to do it.
>>
>
> Just buy yourself a cheap network printer adapter that will transform your
> printer in a network printer. Then you follow Qubes tutorial for a network
> printer, which is the canonical way to print under Qubes.
>
> Why complicate your life when it can be simple?
> Best
> Fran

I actually tried that for about an hour, couldn't get it to work and
gave up on it. My printer has a network port too so I didn't need an
adapter. I don't remember exactly what errors I was getting, but even
after I managed to add the printer and install the drivers from the
manufacturer the printer would never respond.

Oh well, maybe I'll try it again sometime and worst case be able to give
a more detailed report.

Thanks!
-Jackie

[Franz]

Yes, concentrate on that. This is the way to do that. Install the drivers in the template that generates the DVM, so then you will be able to open in disposableVM any file you want to print. It works like a charm.

[Steve Coleman]

On 07/22/2017 11:14 AM, js...@riseup.net wrote:

> I actually tried that for about an hour, couldn't get it to work and
> gave up on it. My printer has a network port too so I didn't need an
> adapter. I don't remember exactly what errors I was getting, but even
> after I managed to add the printer and install the drivers from the
> manufacturer the printer would never respond.
>

One common issue is solved by setting the printer MAC to a fixed IP
rather than allowing it to change each time it connects to any DHCP on
lan network. That requires configuring your lan switch or wifi router.

Usually network enabled printers also have a web interface, so you can
usually test the IP connection (e.g. tcptraceroute, firefox), and even
configure it in some cases, without jamming up your print queue with
unprinted test-page jobs.