-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sat, Jun 25, 2016 at 11:19:14AM -0700, Ali Mammadov wrote:
> IMHO, It might be good to implement this feature to protect against cold
> boot attacks and physical stealing of running laptop. Taking in account
> restrictions on how USB devices are handled in Qubes OS, powering dom0 off
> by a signal from some VM seems hard to implement, let alone full RAM wipe.
Actually not that hard. Just a matter of simple qrexec service. This of
course means that malicious USB VM will be able to shutdown your system
at any time...
Take a look here:
https://www.qubes-os.org/doc/qrexec3/
Something like this:
dom0:/etc/qubes-rpc/emergency-shutdown (make it executable)
#!/bin/sh
# some other command to shutdown/wipe ram?
sudo poweroff -fn
dom0:/etc/qubes-rpc/policy/emergency-shutdown
sys-usb dom0 allow
$anyvm $anyvm deny
Then in your sys-usb trigger this command on usb removal:
qrexec-client-vm dom0 emergency-shutdown
It can be done for example with some udev rule:
sys-usb:/rw/config/usb-emergency.rules
ACTION=="remove", ENV{ID_VENDOR}=="1234", ENV{ID_MODEL}=="5678",
RUN+="/usr/bin/qrexec-client-vm dom0 emergency-shutdown"
sys-usb:/rw/config/rc.local (make it executable)
#!/bin/sh
cp /rw/config/usb-emergency.rules /etc/udev/rules.d/
udevadm control --reload
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXbvzxAAoJENuP0xzK19csQosH/jOD7lxIHGzTliMTSxBfW2Ud
tImhZAYI4rcx9feltngkEu95qFwNyxgHDZXmYbs/8NlU+tyVA1BdDFejHC5PNLOb
t6Wea27vtNw/66EQZ2/BiBJtpnNbeM8azwIw9gAJkMhzitAap9lULmLg8TV4rKpB
PTRSS2b7TyowQox6fae2m7A+Hny5wV5X3t37Z0RFf5+JAg7XEkA39+NnTSYaxPOX
ITzeoq6GCQsl+4c/SPmfz3k8Jk4gAMaqnM1LvNrhyXEC8jsIft1rNAQoWUvLfH8S
cS0/ksJwawnq/eDRPVqi5rEfy3LLyhA0It99trss1RXceoAiKc2Z2AnM8cd3ydM=
=w7S+
-----END PGP SIGNATURE-----