Isolating USB devices
18 views
Skip to first unread message
Dan
Mar 23, 2022, 2:58:14 AM3/23/22
to Qubes Users
Hello fellow Qubies,
I have my USB controller (the PCI device) assigned to sys-net because I have a USB-Ethernet device. I also have my USB keyboard and mouse in sys-net on the same USB controller, and the keyboard and mouse can control dom0. My system has only one USB controller.
I want to isolate compromises of sys-net. Would there be any advantage to creating sys-usb and then attaching only the USB-Ethernet device to sys-net? My USB-Ethernet device shows up as a device in the device widget (currently under sys-net as described above).
So then my plan would be to put the USB controller in sys-usb, then attach just the USB-Ethernet device to sys-net. Would that reduce the ability of sys-net to compromise the USB controller and the keyboard?
Thanks,
Dan
I have my USB controller (the PCI device) assigned to sys-net because I have a USB-Ethernet device. I also have my USB keyboard and mouse in sys-net on the same USB controller, and the keyboard and mouse can control dom0. My system has only one USB controller.
I want to isolate compromises of sys-net. Would there be any advantage to creating sys-usb and then attaching only the USB-Ethernet device to sys-net? My USB-Ethernet device shows up as a device in the device widget (currently under sys-net as described above).
So then my plan would be to put the USB controller in sys-usb, then attach just the USB-Ethernet device to sys-net. Would that reduce the ability of sys-net to compromise the USB controller and the keyboard?
Thanks,
Dan
Dan
Mar 23, 2022, 3:51:35 AM3/23/22
to Qubes Users
I implemented my idea, but I also stopped using the USB keyboard and mouse.
Now I have sys-usb with the USB controller PCI device attached and sys-net with the USB-Ethernet device attached from sys-usb. The only glitch is that on boot up, sys-net will not start at all if the USB-Ethernet device is not available, but sys-usb starts after sys-net when they are both set to autostart. I think the autostart ordering for VMs is essentially arbitrary (possibly alphabetical).
How can I specify an ordering for VM startup or a dependency on a USB device?
------- Original Message -------
Now I have sys-usb with the USB controller PCI device attached and sys-net with the USB-Ethernet device attached from sys-usb. The only glitch is that on boot up, sys-net will not start at all if the USB-Ethernet device is not available, but sys-usb starts after sys-net when they are both set to autostart. I think the autostart ordering for VMs is essentially arbitrary (possibly alphabetical).
How can I specify an ordering for VM startup or a dependency on a USB device?
------- Original Message -------
Demi Marie Obenour
Mar 23, 2022, 11:08:37 AM3/23/22
to qubes...@googlegroups.com
properly will require switching to a unikernel for sys-usb. I also
suggest blocklisting the USB Ethernet drivers in sys-usb’s template,
and loading them manually in sys-net.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
Dan
Mar 25, 2022, 8:16:33 PM3/25/22
to Qubes Users
On Wednesday, March 23rd, 2022 at 12:51 AM, Dan <anonym...@pm.me> wrote:
> I implemented my idea, but I also stopped using the USB keyboard and mouse.
>
> Now I have sys-usb with the USB controller PCI device attached and sys-net with the USB-Ethernet device attached from sys-usb. The only glitch is that on boot up, sys-net will not start at all if the USB-Ethernet device is not available, but sys-usb starts after sys-net when they are both set to autostart. I think the autostart ordering for VMs is essentially arbitrary (possibly alphabetical).
>
> How can I specify an ordering for VM startup or a dependency on a USB device?
I'll document how I solved this. First, I tried creating:
> I implemented my idea, but I also stopped using the USB keyboard and mouse.
>
> Now I have sys-usb with the USB controller PCI device attached and sys-net with the USB-Ethernet device attached from sys-usb. The only glitch is that on boot up, sys-net will not start at all if the USB-Ethernet device is not available, but sys-usb starts after sys-net when they are both set to autostart. I think the autostart ordering for VMs is essentially arbitrary (possibly alphabetical).
>
> How can I specify an ordering for VM startup or a dependency on a USB device?
/etc/systemd/system/qube...@sys-net.service.d/60_afterusb.conf
with content:
[Unit]
Requires=qube...@sys-usb.service
After=qube...@sys-usb.service
For reasons I didn't investigate, this wasn't sufficient. sys-net still failed to autostart. Then I added:
/etc/systemd/system/qube...@sys-usb.service.d/60_beforenet.conf
with content:
[Unit]
Before=qube...@sys-net.service
This caused sys-net to autostart, but sys-firewall still failed to autostart. Then I added:
/etc/systemd/system/qube...@sys-firewall.service.d/50_autostart.conf
with content:
[Unit]
Before=systemd-user-sessions.service
After=qube...@sys-net.service
and then I finally had a system that would boot up to a running sys-usb, sys-net, and sys-firewall.
As a reminder, all the systemd configuration came after doing:
qvm-usb attach --persistent sys-net sys-usb:<ethernet-device>
Bare minimum requirements to get a
1. working system
2. with a USB Ethernet device
3. with separate sys-net and sys-usb
If there is any value in having separate sys-net and sys-usb with USB Ethernet devices, I recommend fixing this in future releases/installers, as USB Ethernet is probably the second most common way to connect to the internet from laptops, after WiFi. Laptops don't come with PCI based Ethernet devices anymore.
Reply all
Reply to author
Forward
0 new messages