sys-usb and usb read-only

87 views
Skip to first unread message

Nicolas Mojon

unread,
Aug 11, 2017, 4:41:41 AM8/11/17
to qubes-users
Hi,

I would like to know if on the new 4.0 it is possible to lock down data in a VM like that nothing can go out of the VM (like no internet or copypaste through dom0). I would like to make that specially for usb sticks or other stocking device, that people can work on things on the usb in the VM but nothing must be able to go out.

Additionally to that, I would like to know if it is possible to use the sys-usb vm but with an usb keyboard, cause for the moment, when I try to implement it, it finish in a dead lock cause I cannot use the keyboard when restarting. And even with the ask policy, it happens after the login so it is pretty problematic and allow it completely,will probably cause a security issue for my system on of the question above.

Thank you in advance...

Best regards

Nicolas

Robert Fisk

unread,
Aug 11, 2017, 11:49:42 PM8/11/17
to Nicolas Mojon, qubes-users
Hi Nicolas,

I am not aware of any changes between r3.2 and r4.0 that would affect
your use case. You can disable the vm's networking of course. If you
want a read-only USB flash drive you should look at the USG hardware
firewall. I have recently released configurable firmware with a
read-only mass storage option:

https://github.com/robertfisk/usg/wiki

Regarding USB keyboards with sys-usb, as you have discovered this does
not work. Enabling sys-usb sets a kernel option to hide all USB
controllers from dom0, and you then cannot type the disk password. You
have two choices:

1 - Leave sys-usb enabled. Boot with a PS/2 keyboard attached (laptop
keyboards are PS/2)
2 - Disable sys-usb. Leave your keyboard's PCI USB controller attached
to dom0. Assign other PCI USB controllers to your own usb VM. If your
system only has one USB controller you could purchase a USB expansion card.

Read the Qubes USB docs for more info:

https://www.qubes-os.org/doc/usb/

Regards,
Robert

Jean-Philippe Ouellet

unread,
Aug 12, 2017, 5:39:34 PM8/12/17
to Nicolas Mojon, qubes-users
You can put explicit deny rules for all qrexec services involving that
VM. Copy/paste evaluates qubes-rpc policy too, but with an implicit
undefined or ask meaning yes.

*HOWEVER*: To truly and completely accomplish this is pretty much
impossible with modern computer architectures unless you limit to only
one VM running at a time. There will likely always be ways to
establish covert channels between cooperating VMs due to hardware
side-channels, regardless of whatever Qubes might try to do to stop
it.

See also: https://www.qubes-os.org/doc/data-leaks/

Regards,
Jean-Philippe
Reply all
Reply to author
Forward
0 new messages