-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, Jun 25, 2016 at 11:19:14AM -0700, Ali Mammadov wrote: > IMHO, It might be good to implement this feature to protect against cold > boot attacks and physical stealing of running laptop. Taking in account > restrictions on how USB devices are handled in Qubes OS, powering dom0 off > by a signal from some VM seems hard to implement, let alone full RAM wipe.
Actually not that hard. Just a matter of simple qrexec service. This of course means that malicious USB VM will be able to shutdown your system at any time... Take a look here: https://www.qubes-os.org/doc/qrexec3/ Something like this: dom0:/etc/qubes-rpc/emergency-shutdown (make it executable) #!/bin/sh # some other command to shutdown/wipe ram? sudo poweroff -fn dom0:/etc/qubes-rpc/policy/emergency-shutdown sys-usb dom0 allow $anyvm $anyvm deny Then in your sys-usb trigger this command on usb removal: qrexec-client-vm dom0 emergency-shutdown It can be done for example with some udev rule: sys-usb:/rw/config/usb-emergency.rules ACTION=="remove", ENV{ID_VENDOR}=="1234", ENV{ID_MODEL}=="5678", RUN+="/usr/bin/qrexec-client-vm dom0 emergency-shutdown" sys-usb:/rw/config/rc.local (make it executable) #!/bin/sh cp /rw/config/usb-emergency.rules /etc/udev/rules.d/ udevadm control --reload - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXbvzxAAoJENuP0xzK19csQosH/jOD7lxIHGzTliMTSxBfW2Ud tImhZAYI4rcx9feltngkEu95qFwNyxgHDZXmYbs/8NlU+tyVA1BdDFejHC5PNLOb t6Wea27vtNw/66EQZ2/BiBJtpnNbeM8azwIw9gAJkMhzitAap9lULmLg8TV4rKpB PTRSS2b7TyowQox6fae2m7A+Hny5wV5X3t37Z0RFf5+JAg7XEkA39+NnTSYaxPOX ITzeoq6GCQsl+4c/SPmfz3k8Jk4gAMaqnM1LvNrhyXEC8jsIft1rNAQoWUvLfH8S cS0/ksJwawnq/eDRPVqi5rEfy3LLyhA0It99trss1RXceoAiKc2Z2AnM8cd3ydM= =w7S+ -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20160625215144.GB28824%40mail-itl. For more options, visit https://groups.google.com/d/optout.
