printing setup

[Индарил Шприц]

I don't know how to print from AppVM.

How this is supposed to work?

[Axon]

On 10/10/13 06:28, Индарил Шприц wrote:
> I don't know how to print from AppVM.
>
> How this is supposed to work?
>

It depends on the location of your printer/how it is connected.

If it's a local USB printer, for example, you could just give your AppVM
control of the USB controller. (Of course, you may have to install some
drivers depending on your printer model.)

[Franz]

On Thu, Oct 10, 2013 at 11:28 AM, Индарил Шприц <indaril...@gmail.com> wrote:

I don't know how to print from AppVM.

How this is supposed to work?

Easiest way is to setup a network printer:
http://qubes-os.org/trac/wiki/NetworkPrinter

If you do not have a network printer you can buy a simply adapter compatible with your printer. I got a TP-link PS110U that works perfectly.

Best

Franz

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
Visit this group at http://groups.google.com/group/qubes-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Brian J Smith-Sweeney]

On Thu, Oct 10, 2013 at 11:12 AM, Franz <169...@gmail.com> wrote:
>
>
>
> On Thu, Oct 10, 2013 at 11:28 AM, Индарил Шприц <indaril...@gmail.com>
> wrote:
>>
>> I don't know how to print from AppVM.
>>
>> How this is supposed to work?
>
> Easiest way is to setup a network printer:
> http://qubes-os.org/trac/wiki/NetworkPrinter
>
> If you do not have a network printer you can buy a simply adapter compatible
> with your printer. I got a TP-link PS110U that works perfectly.

Seems like you could create a dedicated standalone VM to act as a
print server, with the locally-connected USB or network printer
configured, and then have your AppVMs point to that via CUPS. Not sure
there's much value in terms of security boundary with a dedicate print
VM since you're likely going to have to install all the CUPS
infrastructure on the AppVMs anyway (though the NetworkPrinter page
makes a good point about potentially buggy drivers and installation
process).

Seems like a dedicated print VM would though address the issue of
installing the drivers into the template VM and then having to shuttle
around the USB device to different AppVMs whenever you wanted to
print.


Cheers,
Brian

[Axon]

On 10/10/13 08:12, Franz wrote:
> On Thu, Oct 10, 2013 at 11:28 AM, Индарил Шприц
> <indaril...@gmail.com>wrote:
>
>> I don't know how to print from AppVM.
>>
>> How this is supposed to work?
>>
>> Easiest way is to setup a network printer:
> http://qubes-os.org/trac/wiki/NetworkPrinter
>
> If you do not have a network printer you can buy a simply adapter
> compatible with your printer. I got a TP-link PS110U that works perfectly.
> Best
> Franz
>

If you have/want a network printer, sure, but you shouldn't have to buy
any extra hardware, IMHO. I use a USB printer in the way described in my
previous email, and it's very easy.

[Axon]

Remember that you can also just qvm-copy-to-vm the document you wish to
print from any AppVM to the AppVM to which the printer is connected. The
undesirable part of this is that you end up copying documents from
different security levels to this "printer" domain (more likely "usb"
domain), but:
1) This domain can (and probably should) be disconnected from the
network, making leaks less likely.
2) You only ever have to copy from higher security domains to lower
security domains.
3) You would probably face equal (or greater) confidentiality risk with
a standalone network printer or a network printer connected to a
different physical machine.

[Joanna Rutkowska]

You can also open the document in a Disposable VM and print from there.
This requires the printer drivers to be installed in the Disposable VM
template only (you must use qvm-create-default-dvm to generate a new
template). I think this will not work for a USB-connected printer,
because, as of now, there is no way to persistently assign USB
controllers (or any other PCI device) to a disposable VM.

One problem that is not solved with network printers, and which is a
limitation of current printers AFAIK, is that the printing protocols are
not encrypted, so e.g. somebody sitting in your netvm can sniff the
confidential documents you're printing. On the other hand, even if
secure protocols were used to talk to the printer, I would still assume
the printer itself to be backdoored.

I guess the bottom line is: you don't want to ever print really
confidential documents.

joanna.

[IX4 SVS]

It took Mikko 90 seconds to describe why printing stuff you don't want traced back to you is a bad idea:
http://www.ted.com/talks/mikko_hypponen_three_types_of_online_attack.html

Attack surfaces aside, such core functions of desktop operating systems should ideally be supported natively & transparently. Thanks to the OP for bringing this up as I've also been unable to print from my Qubes system to a USB printer but been too embarrassed to ask :-]

Alex 

[Axon]

A related issue is scanning. Suppose you have some important,
confidential documents which you want to scan for digital archiving.
(And who doesn't?) Is there a safe way to do it?

Let's assume it's a USB scanner. I see two main options:

1) Have the scanner connected to the "usb" domain. Scan the document
there, then qvm-copy it to "banking" (or wherever).

Problem: You're copying from a less trusted to a more trusted domain.

2) Connect the scanner directly to the "banking" domain. Scan the
document there.

Problem: You have to install the scanner drivers and software in
whichever template you want to use with "banking," and you have to run
this software inside the "banking" domain, even though it's probably
unsigned and untrusted. You also have to detach the USB controller from
the "usb" domain (or whichever domain it was previously attached to) and
attach it to the "banking" domain (or whichever domain you want to scan
in) every time you want to scan something (not to mention all the other
uses for USB ports).

Which option is preferable from a security perspective?

Note: You could combine trusted-pdf-conversion with option 1, but since
the conversion process roughly doubles the file size and makes the
document somewhat blurry (in my experience), this probably isn't going
to be an option for many people whose goal is to make a permanent
digital archive of important, unique, irreplaceable, and/or confidential
documents. (It also eliminates searchability and OCR, but a document
which you produce yourself by scanning may not have these to begin with.)

[Franz]

I am using a third option. Using a portable scanner (Skypix) which is really very good and practical for what it costs and how small it is. It automatically saves the jpg images onto a micro SD card installed into the device. No drivers.

So I can simply connect a usb cable and attach it to any AppVM. But also this gives me doubts: if I attach it first to a low trust VM and then to a higher trust VM (which I do routinely) is there a way to transfer some attack to the higher trust VM? Perhaps corrupting the file system of the microSD card?

Best

Franz

[Axon]

Interesting. That sounds useful. (I would probably want one that can
save the file as a PDF, though. Can yours do that?)

> So I can simply connect a usb cable and attach it to any AppVM. But also
> this gives me doubts: if I attach it first to a low trust VM and then to a
> higher trust VM (which I do routinely) is there a way to transfer some
> attack to the higher trust VM? Perhaps corrupting the file system of the
> microSD card?

I think it's possible, but I wonder whether the probability of a
successful attack might still be lower with your method than with either
options 1 or 2 above. (If so, I would use your method.)

> Best
> Franz
>

[Joanna Rutkowska]

1) Scanning into UsbVM --> the UsbVM can "see" your confidential files,
so it makes the UsbVM somehow trusted. Further transfer from UsbVM ->
AppVM is not a problem if one uses Trusted PDF converter or something
along those lines. Otherwise, of course, the UsbVM might compromise the
PDF files and try to exploit the target AppVM somehow.

2) Assigning USB controller to the target AppVM --> this opens up large
attack surface against this target AppVM via bugs in the USB stacks,
filesystem parsing bugs, etc. Generally one should avoid assigning USB
controllers to trusted AppVMs.

There is really no good solution to this problem. But, really, if you
have some confidential documents on papers... it means these are not
really so confidential, because somebody must have printed them before,
which, as we just agreed above, is not a very secure process anyway :)

joanna.

[Franz]

No, only JPG. I can only choose between B&W and color