On Fri, Nov 10, 2017 at 9:22 AM, Yuraeitha <
yura...@gmail.com> wrote:
> On Friday, November 10, 2017 at 11:38:47 AM UTC, blacklight wrote:
>>> As long as that is the case, it's not worth the complexity IMO. Note
>>> however that the storage subsystem API for R4 has still been designed
>>> to be compatible with moving storage out of dom0 in the future.
>>
>>
>> In
https://github.com/QubesOS/qubes-issues/issues/1293 @Marek mentions
>> that it would protect against malicious disk firmware, since this could own
>> Dom0 via an DMA attack, is Qubes currently still vulnerable against this
>> type of an attack?
Yes, that's correct.
> You could install a template with a microkernel and slim it down so it
> barely has nothing installed. For example a minimal template. Then pass
> through your entire USB controller, assuming you got more than one
> controller. Typically, many systems have at least two controllers, even
> laptops, but many also only have only one USB controller. Most modern day
> motherboards have minimum two controllers by default, without adding extra
> PCI USB cards with one or more USB controllers.
>
> Basically, if you pass the entire USB controller, then it shouldn't be able
> to reach dom0 through firmware DMA attacks. But I'm no expert, it's just my
> understanding of it.
>
> Furthermore, if the USB controller / Card has no PCI reset, then malware may
> survive when switching between domains. So it may be a good idea to keep
> this USB controller strictly for that domain only and never move it, if it
> has no PCI reset feature.
>
> BadUSB? I guess this one can't be avoided even with PCI reset.. at which
> case, again, keep the same USB controller on the same domain, forever and
> ever, and you should be okay. Remember to block it in the USB controller
> from the booting process, as well as in dom0 once booted, so it never
> touches anything outside the domain, ever.
>
> I'm not sure if each USB controller has their own firmware or if they share
> firmware with other USB controllers, i.e. on the motherboard or on the same
> PCI card with multiple USB controllers. Someone who knows more will have to
> answer that one, if they are separate or not on the firmware level.
The purpose of an untrusted storage domain is not to guard against USB
devices - those are already isolated via sys-usb.
The goal is to mitigate attacks coming from your internal disk (SSD)
controller or disk firmware, as well as potential attacks against the
storage layers used by Qubes (e.g LVM, etc.).
These are orthogonal.