Working with a BTC hardware wallet on Qubes

[Thomas Jefferson]

Hi,

I'm trying to use my ledger nano s and trezor with Qubes. I think the best approach, since I need to attach the entire USB controller for this to work, would be to use the existing sys-usb. However by default the sys-usb is not connected with any NetVM, hence I don't know if this would increase my attack vector.
What's the safest way to use trezor or ledger nano s with Qubes?

Should I use the sys-usb or should attach the USB controller to a different AppVM and use my HW wallet there? (The latter option will invalidate the use of my mouse, so if any other option is available, I'd glad hear it)  

Thanks

[Franz]

I had to buy a working expresscard usb controller and then reboot. But if you do not have the slot or do not want the extra hassle/battery consumption probably the best way is to connect sys-usb to sys-net. At the end they are both considered compromised, so which is the risk of connecting them? That sys-usb can spread its malware using  sys-net? Unless you use usb block devices for strategic/important things, which is not advised, then it seems an acceptable risk.

Regarding specifically Trezor and I suppose also Ledger, they are supposed to be safe even if the hardware on which they are mounted is compromised. So even a compromised sys-usb may be acceptable.

Best

Fran

Thanks

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscribe@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/37511761.234.1499886552897%40office.mailbox.org.
For more options, visit https://groups.google.com/d/optout.

[Thomas Jefferson]

Thanks for the update.
I was trying to attach a NetVM to sys-usb however it seems that sys-usb is already a NetVM in itself, hence I cannot add it to the sys-net.
Do you have any idea how can I have internet on the sys-usb ?


Thank you again

[Thomas Jefferson]

I also forgot to mention, if ultimately the sys-usb will have internet, then what's the difference between the sys-net or sys-usb? Why using two separated SysVMs if both can be used as a NetVM?

On 12 July 2017 at 22:52 Franz <169...@gmail.com> wrote:

[Franz]

On Wed, Jul 12, 2017 at 6:17 PM, Thomas Jefferson <myd...@mailbox.org> wrote:

I also forgot to mention, if ultimately the sys-usb will have internet, then what's the difference between the sys-net or sys-usb? Why using two separated SysVMs if both can be used as a NetVM?

What I noted is that when you install Qubes you are given an option to install sys-usb or not.  I suspect that if you select "not" then what  happens is that USB controllers are assigned to sys-net. So making it a single sys-vm.

Also I wonder which place may a firewall have with that. I assigned my expresscard USB controller to a TrezorVM which uses the standard firewall, but sys-net has no firewall.

[Mr. DONG]

I do have a sys-usb vm, however I cannot attach a netVM to it since the sys-usb is also a netvm.

I possibly will need to create a new sys-usb vm or is there any other alternative?

[Essax]

Have you tried these steps:

1) Attach hardware wallet to sys-usb

2) Go to the dom0 Gui and and right click on the appVM you want to attach it to.

3) In the box that opens scroll down to Attach/detach block devices and your hardware wallet should show up to the right.

4) Right click on your hardware wallet to attach it to your appVM.

Essax

Sent with ProtonMail Secure Email.

--

You received this message because you are subscribed to the Google Groups "qubes-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.

To post to this group, send email to qubes...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1455174408.2312.1499977395517%40office.mailbox.org.

[Patrik Hagara]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/14/2017 02:54 AM, 'Essax' via qubes-users wrote:
> Have you tried these steps:
>
> 1) Attach hardware wallet to sys-usb 2) Go to the dom0 Gui and and
> right click on the appVM you want to attach it to. 3) In the box
> that opens scroll down to Attach/detach block devices and your
> hardware wallet should show up to the right. 4) Right click on your
> hardware wallet to attach it to your appVM.
>

> /Essa*x*/

>
>> -------- Original Message -------- Subject: [qubes-users] Re:
>> Working with a BTC hardware wallet on Qubes Local Time: July 13,
>> 2017 4:23 PM UTC Time: July 13, 2017 8:23 PM From:
>> pa...@mailbox.org To: qubes...@googlegroups.com
>>
>> I do have a sys-usb vm, however I cannot attach a netVM to it
>> since the sys-usb is also a netvm.
>>
>> I possibly will need to create a new sys-usb vm or is there any
>> other alternative?

Attaching it as a block device won't work, since bitcoin hardware
wallet is not a mass storage device. Luckily, it's not emulating a HID
device either, which would get picked up by the dom0 USB
keyboard/mouse input proxy. Thus, there's no graphical means of
attaching USB bitcoin hardware wallet in Qubes to another VM...

You can, however, attach it via the qvm-usb command line tool:

1) connect the bitcoin hardware wallet
2) in dom0 terminal, run `qvm-usb -l` to list USB devices attached
3) locate the line with bitcoin wallet and note the first column (eg.
"sys-usb:2-1.6")
4) run `qvm-usb -a bitcoin sys-usb:2-1.6` from a dom0 terminal to
attach the wallet to bitcoin AppVM


Cheers,
Patrik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZaIU1AAoJEFwecd8DH5rlHfsP/1jkZ1IDWrTy60wBno/MUIU7
bVzDx7i81zRWdIaDn4d7rl6DrTetGmqa7MZLferLNilZldA/DymTrXH33/+Ewvfu
JCGtc4BpNkkigOV+fjj7ov49flEjCP1nIDoZK3PzHvxN8lS6MnuGIPnbw+z97cew
aOJAoZqFhaWO9oj31x/fiLqAjl+oYodU4n7L/342Xn7qmc1AiFtURzA9yVBJNoyW
6nfdmKKBSEUkdsbvhNTIznAqbfKg35Xf9lZOflO0CjTg2o+TCFIoLexceCi1IgaB
+k10IF9BkYkimF0GclplZ4dZ9w/G2iL2bheXBy0gWL15dTsasM3PJgmjj2HEusIA
xlg6EetjmDF8roUym8QldepNsIAPW5/8SuXz4vkl5uxChh54V+BMQx3cBGImVxSf
UwM+hd8/1pfyMmAmsYiK+UFX3rHdIdBKTxEuJjZrJhqRjAnpymBjGe1clwkE4ziy
33VeRSqKi4s46yhH2NpjXmCL256na/seNdILAYBlLW15tXgQCKUFZ9EI6Sj3Z4GZ
qhAnlsuN3yXZ/FX/vv+SLkZpNGKdZj7bqbuJx0j3rtMfXdx0yJPBEeEQjkGzWz/5
tNy9N2V0C+f0LKpXIMNd8npEOyFBKmb9HL8NNcb7u9IQvMEx6YCArcbqqw5ElOix
UJGME31rhswPB/0vLAil
=frd+
-----END PGP SIGNATURE-----

[Mr. DONG]

Unfortunately that doesn't work either.

The "qvm-usb -l" doesn't show my legder nano s. In fact I can only see it attached on the sys-usb, not on dom0.

The qvm-usb list output shows no difference either I attach or not the HW wallet. The only way I can attach to another appvm is if I attach the entire PCI  controller, via the usb-passthrough does not work.

Any alternatives?

[Patrik Hagara]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Most likely you don't have qubes-usb-proxy installed in the sys-usb's
template (make sure to also install this package in the target bitcoin
banking AppVM's template). See [1] for more info.

[1]
https://www.qubes-os.org/doc/usb/#attaching-a-single-usb-device-to-a-qub
e-usb-passthrough

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZaMnNAAoJEFwecd8DH5rlmTkP/jiwIpUlTMr6OMEUw3afH46X
h1Z+hcADH40Z1M2FVTH3oqginIjoGs0kJyd490vcpaic3Js1EO6+I0eXtvF4n2qt
J5LWSHQ/AQg3xjfBAFSsl2kEXnNa0CGF9hl0ZLCJOaHKcbpcJfS69fH79kT7KtJG
KJ4bOgENGCHaxgHb6vqtvdaYgnj8ltHqRvIZjwThai1PBsQcmw1HSf+uBMzQNRFw
5E39a1Rb6vkvpdG1EDjEXrtzU8TdLH/96eCGODD0+t6vbAAp0t9EEheeqFjDdtz1
65FNUWYx+WxkCvjcDaMK6GR/NY447C9cCM3xm55rQlFH7/vzH9CkMTM52+ZW0bqB
27B8d+BatKYaIKQbrxHBWxdN7LDsJkcr+YHVHGt2F7nqt14LsLaRf+52gj6A+MHq
utn+5cVUpVT//GKlox+vEwfxZC/TjRqr4Im6tqAWQX+OZrpH9q4yP+asb6Ca2YdY
3K9qoJZmtUVCaMiVQLqTRcjzHdVpMllS7scSs4wcJDHvi+KxhIOafG3iH2zAx7VC
CKXj2JltK7BXv4rlRUmcsIO6f4vTq/ylzZ4pP9bUp3VuQQum3wJ4dQnC9GdOoN6B
rTwgfZ5ovA+Fo37FVdRR6k5tc/Gh1emhiFHNfOMAtO6364O0GxWo6NkERTHhVF94
ZdhPoB3Ggx9FoTiAyNPI
=9Dw6
-----END PGP SIGNATURE-----

[Mr. DONG]

Actually I do have the qubes-proxy-usb installed on my sys-usb (that's how I'm able to use my mouse) however I'm not sure if the qubes-proxy-usb can be used to pass the HW wallet.

How I'm I suppose to pass my Ledger nano s or trezor via the proxy?

[Essax]

Was just reading through the qubes docs.  You can delete your current sys-usb and make a new sys-usb and make it an appVM(sys-usb).  Then you could attach it to a sys-firewall or sys-net . Im not 100% sure this will help but it is worth a try.  Sorry I don't have time to write out the instructions.  The link to the doc:  Qubes-doc-usb

  

Essax

Sent with ProtonMail Secure Email.

--

You received this message because you are subscribed to the Google Groups "qubes-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.

To post to this group, send email to qubes...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1441642922.1727.1500046931339%40office.mailbox.org.

[Mr. DONG]

Thank you for the effort in replying to me, I really appreciate :)

So the only viable option left in order for me to use my HW wallet in Qubes is to create a sys-usb from scratch, and create it as a AppVM instead of NetVM as the default?

Wouldn't this solution expose also any USB device to the internet? Is this a safe trade-off?

Isn't possible to attach only my HW wallet to an AppVM instead of assigning the whole USB controller? (I've tested this option, and once I assign my USB PCI device to another AppVM all my USB ports will also be assigned to the same AppVM)

Ideally I'm looking for the most secure possible solution - one that assigns only that USB port to another AppVM instead of exposing all my USB controller to the internet.

Is this possible? Does anyone knows?

[Patrik Hagara]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/15/2017 11:51 AM, Mr. DONG wrote:
> Isn't possible to attach only my HW wallet to an AppVM instead of
> assigning the whole USB controller? (I've tested this option, and
> once I assign my USB PCI device to another AppVM all my USB ports
> will also be assigned to the same AppVM)
>
> Ideally I'm looking for the most secure possible solution - one
> that assigns only that USB port to another AppVM instead of
> exposing all my USB controller to the internet.
>
>
> Is this possible? Does anyone knows?

It is possible with the qubes-usb-proxy packages properly installed.

Make sure you have qubes-usb-proxy-dom0 installed in dom0:
sudo qubes-dom0-update qubes-usb-proxy-dom0

For your sys-usb's template VM (eg. for fedora-24; command will be
different for templates based on other distro):
sudo dnf install qubes-usb-proxy

If your bitcoin banking VM is based on a different template than
sys-usb, you need to install qubes-usb-proxy package there as well!

Shut down all the templates, then reboot both sys-usb and banking VM.

Connect the bitcoin hw wallet to a USB port, then run `qvm-usb -l`
from dom0. Do you really not see the wallet here? (Does any device
disappear after you unplug the wallet and re-run `qvm-usb -l` in dom0?)

If it still does not work, try enabling testing repositories for both
dom0 and appropriate template VMs and updating.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZafKyAAoJEFwecd8DH5rlddEQAKRWuJUzgPPUzldXQHp2TLj6
hKIYw+vyZrCRgyJg1BdliKZbSpzgnXimLRv8biURiHslif7zdJ/3YVPppGKA6EOU
8m2QQWgLngZm9zfR6+Ra/B2yrJqVV8lhSWZN9ndkvxl7Is0PEXg2pk96/eVsoEXo
BbkYlVOybCn6mutIfjg7N9PUAowWGrPVRm2ZN9jHAIWtUCM8SDCmRKNWsJJDYIdh
oYHpY+KyivIEX0Hiu19U2T8FGaMv6RyjQIxV7piHHof/pHlO4xRjSSu3les2ronO
8c04ScL78LQmB6SDo1dgaJ95dIHwyBKEKrOp5Jq5z08HO+kmHCJ5JrgrGK8Hy9tR
9cbQAeoxaYz/J/7iJSWHgkJjpcA7oN1CDIviO+WIdyW4BQN+YYp4UEX0nUCOE6AR
IvAPf7TW2FH1cTWdF5F+cNF2vQ4BTOzzIf0i5JjM5a9Jf8pDzmclwWjAjKdOjNDi
3ScVCQO9WrYt8s9F8C4AvqYjx9l2/MgUwOunHK4EXEZdwLb3nlW1T1rroj/PRptY
axiCIVc3m0gDUpAH19hfMePL+i8rIRGBR7cSZG62gvtPHmW0I6QKqhvWESrh5jl6
dI7sIz2ONCSE+H3ccHz/CBWx31FxODwPs8qCXTyrp9MjR3rkUCw/AIgewAFr6zdZ
gd7aAfjxoXQ4GDK1nwgK
=0cte
-----END PGP SIGNATURE-----

[Tai...@gmx.com]

On 07/15/2017 05:51 AM, Mr. DONG wrote:

> Thank you for the effort in replying to me, I really appreciate :)
>
> So the only viable option left in order for me to use my HW wallet in Qubes is to create a sys-usb from scratch, and create it as a AppVM instead of NetVM as the default?
>
> Wouldn't this solution expose also any USB device to the internet? Is this a safe trade-off?

You could always not allow all networking, or not attach a network
controller.

> Isn't possible to attach only my HW wallet to an AppVM instead of assigning the whole USB controller? (I've tested this option, and once I assign my USB PCI device to another AppVM all my USB ports will also be assigned to the same AppVM)
>
> Ideally I'm looking for the most secure possible solution - one that assigns only that USB port to another AppVM instead of exposing all my USB controller to the internet.
>
> Is this possible? Does anyone knows?

Yes it is, the best way is buying another USB controller.