Qubes 3.2(R2) USB Connecting to DOM0 by Default
635 views
Skip to first unread message
ama...@riseup.net
Aug 11, 2016, 8:08:27 AM8/11/16
to qubes...@googlegroups.com
My understanding is that by default Qubes Dom0 is protected from USB
attacks by disallowing access to USB's.
To the contrary,on my system, USB's have direct access to Dom0 - I plug
in a usb -popup shows it's connected to dom0 - i have direct access via
dom0 to the files on the usb.
Is it just me? or it it a system failure?
attacks by disallowing access to USB's.
To the contrary,on my system, USB's have direct access to Dom0 - I plug
in a usb -popup shows it's connected to dom0 - i have direct access via
dom0 to the files on the usb.
Is it just me? or it it a system failure?
Alex
Aug 11, 2016, 8:27:25 AM8/11/16
to qubes...@googlegroups.com
usb device is not assigned to a sys-usb.
This can happen if
- no sys-usb has been created during installation
- sys-usb is not running (its devices are attached to dom0)
- the controller has not been recognized as a USB controller, so it has
not been automatically attached to sys-usb
Please check for these 3 situations and report your findings...
--
Alex
Andrew David Wong
Aug 11, 2016, 2:50:53 PM8/11/16
to ama...@riseup.net, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Pleas read this page:
https://www.qubes-os.org/doc/usb/
Without a USB qube, the USB controllers are left in dom0, which sounds like
your situation. Depending on the version of Qubes you're using and whether
you're using a USB keyboard and/or mouse, you should have been prompted during
installation to create a USB qube. However, you can also create one yourself
by following the instructions on that page.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXrMkGAAoJENtN07w5UDAw2SkQAKE230GVdVVTj6ds7dH2m7ua
LJfdrLATMfXiCc8ua0GCPB/LFlBHua39LJDowL0okeX7UZfh6mPS+iQ51wEDVHU1
Mox/PaEqkKpv7QnIj/6XSV3sIhwYqTIL+5HFBhd3IE8Psj2NCb30fYFJgoOdcpR6
/8Y2huXCxCIvlsuTnxaa9/xvwZXKaN7eB00OMrk2pzRBfNOTedMIONzy5pPOvF2Q
X0cOln+U7s2iu0s+WmZWtcgX82qKpTWa07r96WcTU262e8+TXvH8umZZtIlJLwLU
eJxucUJFaNOGYGUL9dx6zaFiQ5WmOpCQ37Awh/3m/iVgL6FrpUlX+z66ZCpC6UZG
pwjHKcv3jRyxNIXTu6ROwjPzjjuHx8xuKAP1cIhU/EsQi+k6goWXeIalwO2lmDy1
+lZwm3oHN1w2BEtPBthB+GDEsVjCzlUKnZSPZzj9rSMNW5CkYuw/KLXtKKhm2jcy
7sSAk8zZ320NA0OeLcMR485QFaQ3HPtVoWdaA2aHjV/bTtMQMR72rgUZGXI3jntB
kFnQfa255+IQN8+WH6goHypuunSz3od3HH1ChlSnO2slzykMRiy51bHvLGnyNILN
TuKSTBTzqHxeV242NoqJye+zVTm5Ka1V43MTjIO6vhLCFz5HN6ezViT3GX/Eehah
nrDdi2shrGFOzLwP7Zea
=ZISO
-----END PGP SIGNATURE-----
Hash: SHA512
https://www.qubes-os.org/doc/usb/
Without a USB qube, the USB controllers are left in dom0, which sounds like
your situation. Depending on the version of Qubes you're using and whether
you're using a USB keyboard and/or mouse, you should have been prompted during
installation to create a USB qube. However, you can also create one yourself
by following the instructions on that page.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXrMkGAAoJENtN07w5UDAw2SkQAKE230GVdVVTj6ds7dH2m7ua
LJfdrLATMfXiCc8ua0GCPB/LFlBHua39LJDowL0okeX7UZfh6mPS+iQ51wEDVHU1
Mox/PaEqkKpv7QnIj/6XSV3sIhwYqTIL+5HFBhd3IE8Psj2NCb30fYFJgoOdcpR6
/8Y2huXCxCIvlsuTnxaa9/xvwZXKaN7eB00OMrk2pzRBfNOTedMIONzy5pPOvF2Q
X0cOln+U7s2iu0s+WmZWtcgX82qKpTWa07r96WcTU262e8+TXvH8umZZtIlJLwLU
eJxucUJFaNOGYGUL9dx6zaFiQ5WmOpCQ37Awh/3m/iVgL6FrpUlX+z66ZCpC6UZG
pwjHKcv3jRyxNIXTu6ROwjPzjjuHx8xuKAP1cIhU/EsQi+k6goWXeIalwO2lmDy1
+lZwm3oHN1w2BEtPBthB+GDEsVjCzlUKnZSPZzj9rSMNW5CkYuw/KLXtKKhm2jcy
7sSAk8zZ320NA0OeLcMR485QFaQ3HPtVoWdaA2aHjV/bTtMQMR72rgUZGXI3jntB
kFnQfa255+IQN8+WH6goHypuunSz3od3HH1ChlSnO2slzykMRiy51bHvLGnyNILN
TuKSTBTzqHxeV242NoqJye+zVTm5Ka1V43MTjIO6vhLCFz5HN6ezViT3GX/Eehah
nrDdi2shrGFOzLwP7Zea
=ZISO
-----END PGP SIGNATURE-----
johnrobe...@gmail.com
Aug 12, 2016, 2:27:15 PM8/12/16
to qubes-users, ama...@riseup.net
So i use R 3.1 and have a usb mouse and keyboard but nothing about usb mention while the installation. i wonder the same as the author after i insert usb stick to my system and it's at dom0.
Nicklaus McClendon
Aug 12, 2016, 3:10:15 PM8/12/16
to qubes...@googlegroups.com
On 08/12/2016 01:27 PM, johnrobe...@gmail.com wrote:
> On Thursday, August 11, 2016 at 8:50:53 PM UTC+2, Andrew David Wong wrote:
> On 2016-08-11 05:08, ama...@riseup.net wrote:
>>>> My understanding is that by default Qubes Dom0 is protected from USB
>>>> attacks by disallowing access to USB's. To the contrary,on my system, USB's
>>>> have direct access to Dom0 - I plug in a usb -popup shows it's connected to
>>>> dom0 - i have direct access via dom0 to the files on the usb.
>>>>
>>>> Is it just me? or it it a system failure?
>>>>
>
> Pleas read this page:
>
> https://www.qubes-os.org/doc/usb/
>
> Without a USB qube, the USB controllers are left in dom0, which sounds like
> your situation. Depending on the version of Qubes you're using and whether
> you're using a USB keyboard and/or mouse, you should have been prompted during
> installation to create a USB qube. However, you can also create one yourself
> by following the instructions on that page.
>
>
> On Thursday, August 11, 2016 at 8:50:53 PM UTC+2, Andrew David Wong wrote:
> On 2016-08-11 05:08, ama...@riseup.net wrote:
>>>> My understanding is that by default Qubes Dom0 is protected from USB
>>>> attacks by disallowing access to USB's. To the contrary,on my system, USB's
>>>> have direct access to Dom0 - I plug in a usb -popup shows it's connected to
>>>> dom0 - i have direct access via dom0 to the files on the usb.
>>>>
>>>> Is it just me? or it it a system failure?
>>>>
>
> Pleas read this page:
>
> https://www.qubes-os.org/doc/usb/
>
> Without a USB qube, the USB controllers are left in dom0, which sounds like
> your situation. Depending on the version of Qubes you're using and whether
> you're using a USB keyboard and/or mouse, you should have been prompted during
> installation to create a USB qube. However, you can also create one yourself
> by following the instructions on that page.
>
>
> So i use R 3.1 and have a usb mouse and keyboard but nothing about usb mention while the installation. i wonder the same as the author after i insert usb stick to my system and it's at dom0.
>
Do you have a USB Qube? If not, you need to make on following Axon's
>
instructions above. Otherwise, I would check your USB Qube's attached
devices with Qubes VM Manager (the Devices tab in the USB Qube's
settings) and make sure your USB Controllers are selected.
--
kulinacs <nick...@kulinacs.com>
Andrew David Wong
Aug 13, 2016, 2:55:15 AM8/13/16
to johnrobe...@gmail.com, qubes-users, ama...@riseup.net
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
On 2016-08-12 11:27, johnrobe...@gmail.com wrote:
> On Thursday, August 11, 2016 at 8:50:53 PM UTC+2, Andrew David Wong wrote:
> On 2016-08-11 05:08, ama...@riseup.net wrote:
>>>> My understanding is that by default Qubes Dom0 is protected from USB
>>>> attacks by disallowing access to USB's. To the contrary,on my
>>>> system, USB's have direct access to Dom0 - I plug in a usb -popup
>>>> shows it's connected to dom0 - i have direct access via dom0 to the
>>>> files on the usb.
>>>>
>>>> Is it just me? or it it a system failure?
>>>>
>
> Pleas read this page:
>
> https://www.qubes-os.org/doc/usb/
>
> Without a USB qube, the USB controllers are left in dom0, which sounds like
> your situation. Depending on the version of Qubes you're using and whether
> you're using a USB keyboard and/or mouse, you should have been prompted
> during installation to create a USB qube. However, you can also create one
> yourself by following the instructions on that page.
>
>
> On Thursday, August 11, 2016 at 8:50:53 PM UTC+2, Andrew David Wong wrote:
> On 2016-08-11 05:08, ama...@riseup.net wrote:
>>>> My understanding is that by default Qubes Dom0 is protected from USB
>>>> attacks by disallowing access to USB's. To the contrary,on my
>>>> system, USB's have direct access to Dom0 - I plug in a usb -popup
>>>> shows it's connected to dom0 - i have direct access via dom0 to the
>>>> files on the usb.
>>>>
>>>> Is it just me? or it it a system failure?
>>>>
>
> Pleas read this page:
>
> https://www.qubes-os.org/doc/usb/
>
> Without a USB qube, the USB controllers are left in dom0, which sounds like
> your situation. Depending on the version of Qubes you're using and whether
> you're using a USB keyboard and/or mouse, you should have been prompted
> during installation to create a USB qube. However, you can also create one
> yourself by following the instructions on that page.
>
>
> So i use R 3.1 and have a usb mouse and keyboard but nothing about usb
> mention while the installation. i wonder the same as the author after i
> insert usb stick to my system and it's at dom0.
>
IIRC, the R3.1 installer will not prompt you to create a USB qube if you're
> mention while the installation. i wonder the same as the author after i
> insert usb stick to my system and it's at dom0.
>
using a USB *keyboard*, since this would risk preventing you from typing
anythign in dom0. If you'd like to use your USB keyboard concurrently with a
USB qube, please follow these instructions (but carefully read the warning
first!):
https://www.qubes-os.org/doc/usb/#tocAnchor-1-1-4
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
BmHL2M6azwSuM0djSAxLwOTHVudhBdlGPwWd1K72ThysSwBPZWLr4bfOGFHuRgEz
mVX3gQXfFYmztokK/Y9UCAQhNvs82lRCalzhAswwmj/qLV7dwv59r9wlgX6IZ+JQ
zp97hzpVWZHu5z6wwqbaPfbQOGlLylFS9HSQHFWKTl8u7NLGEnSfcKQsYRMnY/x3
qBsm8NlddkukWbTLW55jhOhFD9UnXuLb7j0pKaziOzDg61ootQcRgcj0dRYlCakA
4s8/gT0t3LGkrhfbr2lvG3esJ0T/qyUVddl5GVcws4/uSQ7OwR3eBHNXQO4tMOYc
Qkunc0SpbaX+S3bEbIMFttIS3/GsPt3Z2qhUkf4o1aD9iJO+TIrzZj2W5lCBb6UL
xgU7TrGoHBVsZUiJi2pQt714Cifc/lkdz3Lgr49PabwGFzFCkgW8j3BK8XoaE29N
i7mMSjAwj0ISA+GUpOyhefBROFy3Rph/geV1tdDL0QaHQlwvc5CorHksqkpKOVy+
QperqfKEspkfCQqWYH5S9CdDiNMAL59FVBu1qAgXLf4NsBnY6DwnhIpEqUHDYbdH
6wwQJWQCbiA0rJPgb2YjXfJ0z3ZYFU/4nl/PgVnDuKfmOAWKeoE/SLbhc2jnEtWY
nIy/PbwRlU/EPIbwl7zg
=BGxk
-----END PGP SIGNATURE-----
ama...@riseup.net
Aug 13, 2016, 12:35:35 PM8/13/16
to Andrew David Wong, qubes...@googlegroups.com
I do not recall being prompted to create a USB VM during installation of
3.2 rc2. However, I've now successfully created one and it works fine.
But I'm jittery that my system's integrity has been comprised by a
compromised USB Flash stick.
I guess the only solution is to ditch my current VM's [including
backups] and reinstall qubes?
It would be really good if the developers could modify their code to
prevent users from accidentally falling into this unfortunate trap.
Andrew David Wong
Aug 13, 2016, 1:29:50 PM8/13/16
to ama...@riseup.net, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-08-13 09:35, ama...@riseup.net wrote:
Hash: SHA512
> On 2016-08-11 18:50, Andrew David Wong wrote: On 2016-08-11 05:08,
> ama...@riseup.net wrote:
>>>> My understanding is that by default Qubes Dom0 is protected from USB
>>>> attacks by disallowing access to USB's. To the contrary,on my system,
>>>> USB's have direct access to Dom0 - I plug in a usb -popup shows it's
>>>> connected to dom0 - i have direct access via dom0 to the files on the
>>>> usb.
>>>>
>>>> Is it just me? or it it a system failure?
>>>>
>
> Pleas read this page:
>
> https://www.qubes-os.org/doc/usb/
>
> Without a USB qube, the USB controllers are left in dom0, which sounds
> like your situation. Depending on the version of Qubes you're using and
> whether you're using a USB keyboard and/or mouse, you should have been
> prompted during installation to create a USB qube. However, you can also
> create one yourself by following the instructions on that page.
>
>>>> My understanding is that by default Qubes Dom0 is protected from USB
>>>> attacks by disallowing access to USB's. To the contrary,on my system,
>>>> USB's have direct access to Dom0 - I plug in a usb -popup shows it's
>>>> connected to dom0 - i have direct access via dom0 to the files on the
>>>> usb.
>>>>
>>>> Is it just me? or it it a system failure?
>>>>
>
> Pleas read this page:
>
> https://www.qubes-os.org/doc/usb/
>
> Without a USB qube, the USB controllers are left in dom0, which sounds
> like your situation. Depending on the version of Qubes you're using and
> whether you're using a USB keyboard and/or mouse, you should have been
> prompted during installation to create a USB qube. However, you can also
> create one yourself by following the instructions on that page.
>
> Thanks all for your input. I do not recall being prompted to create a USB
> VM during installation of 3.2 rc2. However, I've now successfully created
> one and it works fine. But I'm jittery that my system's integrity has been
> comprised by a compromised USB Flash stick. I guess the only solution is to
> ditch my current VM's [including backups] and reinstall qubes? It would be
> really good if the developers could modify their code to prevent users from
> accidentally falling into this unfortunate trap.
>
Tracking:
> VM during installation of 3.2 rc2. However, I've now successfully created
> one and it works fine. But I'm jittery that my system's integrity has been
> comprised by a compromised USB Flash stick. I guess the only solution is to
> ditch my current VM's [including backups] and reinstall qubes? It would be
> really good if the developers could modify their code to prevent users from
> accidentally falling into this unfortunate trap.
>
https://github.com/QubesOS/qubes-issues/issues/2211#issuecomment-239632240
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
HkLPpFV2e266+Vht5eX0TOvLmPBi70B5YeKX4FuL+43JMmPLdWhD+uu7Og67kTz9
KQIAxHAYswmsFPiKRhdvx+Sg56KFEtrugEHJeWWtu/yKJR/d8IL4Vy49RI7IAMWm
00vTd4Aj13EjULOt91mS4k3JwyfBCANzCSPsR94PzrROGrTResYAzZOM3uNSWwi2
CCduR29wcB0jg1QUi8fiOUKBdjkCDBYwPVZX883OONw49IXlisCYuPwLZB+nIi2q
7jxKIpbdOhtZHDyRFNfCNYiTe4q2G6W4vu7XuolgvICuCArO/QxjFWs7K5bDogzN
/RNHNceztRk+hi0OFxHoKlLt7VQRcgCIMK+r3NZOPvf1nXmILMXmU4Yj7CcXOLs4
xf3vKYJ+NgOFs7V6XRja8tH8p9STMNuu0QEskHM303SL5Z92XuKoKOa7/J+9OlXB
PmTjKFpRmSH2dpiH4usixcQE2ri2lfppK+1LEkbqHWaqhpTRcLLEdpMDIwwT6Ivz
PmbgFC4yCK+3D6uQF80ge7oyo46Du0uLK2eIaEnjW88H24zvFa/E+tPxZA9fHElU
ZqmYoexflR7bVW+7omsTDMjl7UUL3wQ9dw4wqeD9aWtv+5875enLGu2uE4C+kqDc
c3nqv4CZMHOHc3X5AN1U
=QqmJ
-----END PGP SIGNATURE-----
Ben Wika
Dec 6, 2016, 9:44:57 PM12/6/16
to qubes-users, ama...@riseup.net
so to be clear, having no usb qube makes dom0 vulnerable? (i had the same setup until i got myself ps2 splitter)
Andrew David Wong
Dec 7, 2016, 12:00:14 AM12/7/16
to Ben Wika, qubes-users, ama...@riseup.net
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
LXjIzETlOuNNpfKwXb7YbBfpilldj0IwncXqWfwWVfRlTqi2oa8cmi3RbZbhi+j/
vamVGhAvKP/2B2b31tLFZiLkALxnT7sRw0A2a1ARvS2PWVujyZQKBH+9z5tDbSZq
t0rTco73v3/KZqFbJtK/LyoDrhLE6AmGMstwLhTxN9AaeAr7lkYFKZetgwOiNqsb
mQJCZiqJkxsrfAA3u5RxawwDxsE4c3R0a6ehfFaAEf0PCi9XXtDCLYuk9KX2FMz1
n3NshknLKTK3+mrGIgTNGPgY4wvDANorX1gvBafdWh+UVjgC1J6jZ42FO7AeudPc
lGuvf3GUwc3pooSix65fYtkiVWJMeNSHdfbuMGnRzDRx36IjQpLQJ6qBpAHb7QBn
G2roorRt1GujvQEwen40NOqgO3p4RhMpZra9mVPU34a6E5PcBjRl0Is3gBQgPeU9
a6p9IO+QIIT/exbB0MPguVBYYVbH9crHrJK+crzlyxNdnnFtH5Q2t96digr5rCaW
c57yExsWKRVai8ijP1C22Ta+jF4l3qcta2SXwveXu8eTQZD4oR74q136qOCpbPmw
EDt3HAsJaq8FwlyDVkkNL1I8RpSqYELCdEHBVCNdtH6PlEjmxeyGGGEbdOTJbXlS
oUqq+RZ6xAXtaWbZZZGQ
=MxBx
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages