-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, Jan 02, 2018 at 02:40:16PM -0500, 'Drolo' via qubes-devel wrote: > Hi, > I'm interested in how qvm-block and qvm-usb are implemented and in which way > they interact in the USB drive case. Here is what i discovered about PCI > Passthrough and USB Passthrough: > From [0] I read that Qubes OS uses VT-d (through [3] and [5]) to isolate > networking and USB controllers in domains. In fact lspci (in dom0) states > that the pciback driver is associated with those PCI devices. So dom0 handles > only the passthru, nothing more. > [6] states that it's not possible to assign a single USB devices to a domain, > because VT-d design. However I think that it's not updated because > qubes-usb-proxy ([2]). From [7] and [8] I deduced that qvm-usb uses PVUSB > ([4]) to passthru single USB device. > From [1] I read that qvm-block uses Xen block backed hosted in the UsbVM. > Initially I didn't find what it refers to. Then I found xl block-attach > command (from [2]). So I found [10] and [11]. > > So I concluded: > - qvm-usb uses PVUSB. However Qubes OS's xl doesn't seems to implement > usb-list and related. > - qvm-pci uses Xen PCI passthru. So xl pci-attach and related. > - Specifically for network: xl network-attach. From [2] I read that because > [12] the attack surface is smaller in guest domain. So the security benefit. > - qvm-block uses xl block-attach and related. > - qvm-block is independent from qvm-usb, after that the guest domain detect > the drive. > > Are these conclusions correct?
Almost: qvm-usb uses USBIP over qrexec instead of IP. Some details are here: https://github.com/QubesOS/qubes-app-linux-usb-proxy Other points are correct. > [0] = > https://www.qubes-os.org/attachment/wiki/QubesArchitecture/arch-spec-0.3.pdf > [1] = > https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf > [2] = https://www.qubes-os.org/doc/usb/ > [3] = https://wiki.xenproject.org/wiki/Xen_PCI_Passthrough > [4] = https://wiki.xenproject.org/wiki/Xen_USB_Passthrough > [5] = https://wiki.xenproject.org/wiki/Driver_Domain > [6] = https://www.qubes-os.org/doc/assigning-devices/ > [7] = https://github.com/QubesOS/qubes-issues/issues/2144 > [8] = https://github.com/QubesOS/qubes-issues/issues/531 > [9] = https://www.qubes-os.org/doc/dom0-tools/qvm-block/ > [10] = https://xenbits.xen.org/docs/4.6-testing/man/xl.1.html > [11] = https://xenbits.xen.org/docs/4.6-testing/misc/xl-disk-configuration.txt > [12] = https://wiki.xenproject.org/wiki/Xen_Networking > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlpMiIsACgkQ24/THMrX 1yxQ1wf/duCpjccBCaPsF2u7RzghzITDpV50RSo/TMvyHXM/z2JRcE8oHj+XBMed avhpIjRiNYl6BNEKC/qQYzPTS/y5V4sZLSTzVHytQoTM6uK1OVyS1s0JS+SuFyeC MilA3T1kyEOsjWH7PEOq5v63DLuSs4D3cBQIzTKtvWLbEKh8LnTCzXvn1+eGtwYQ xKV+W0D4RDXyXcl1RDZQqF0fGle2nQIhtB8+HdvDEhqseFQKjACUHyPFqlY2TacI WLaBhACrIsMHWGqEB/nIWVqkR7fzjvicH4wD8lD6FYt+UCLXwiC5csE7ajlLTVBn IVMMo4CJndztpNBM/gTP5ntt3jJD9Q== =UteK -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20180103073850.GN2653%40mail-itl. For more options, visit https://groups.google.com/d/optout.
