-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, Aug 03, 2016 at 02:56:09AM +0000, Jeremy Rand wrote: > Marek Marczykowski-Górecki: > > On Mon, Aug 01, 2016 at 07:35:26PM +0000, 468ezc+5r0fnwy87qeag via > > qubes-users wrote: > >> Hi, > > > >> My MicroSD while attached is assigned to dom0 and not sys-usb as is > >> supposed. Notwithstanding, USB devices are still assigned to sys-usb. > > > >> Is this the intended behavior? Doesn't this increases, in the same manner > >> as usb devices does, the surface attack in dom0? > > > > Your (micro)SD card reader is probably not a USB device, but PCI device. > > Yes, it's better to assign it to some VM - sys-usb is ok. You can do > > this in VM settings - "Devices" tab. > > Seems to me that assigning the SD controller to a different VM than > sys-usb would eliminate some attack vectors, since if they're assigned > to the same VM, IOMMU won't prevent software accessing the SD card from > attacking software accessing the USB devices (and vice versa). A > doomsday scenario that comes to mind is when the USB controller is being > used to connect to the Internet via a phone tether, and the SD card is > storing some high-value data. (My doomsday imagination is limited; > perhaps there are better doomsday scenarios.) > > Is my intuition on this corect?
Generally yes, but I think it's rather little value. If you have higi-value data, you should encrypt it anyway. Outside of device-facing VM of course. Generally the VM where you (or someone else) can plug potentially malicious device, should not be trusted. > Of course, using a separate VM means increased RAM usage, which may or > may not be worth it. > > Cheers, > -Jeremy Rand > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXoZtxAAoJENuP0xzK19csKVkIAI1CNc7J08vF9WVg2ji/6eQ8 vcAqm+FUwQuvf09dyV+PgbfSoX2GIKsu/v41qXNuq/WgZ9qUmzsIDd+N7Kxm6SVQ pj3dB8jPdLZoVH6YZTa/MRxZLLtglMNoNSrVKVPaBKql2vo3jQRzIva6JwBBYQLk fRPZdVyS5movd66xpEAMsB7C67mMv0RpupfXqQ9UZbBQzGugX/+pRgZaxzFa02ol t0nXj8Hb0COFLLxfN4XIwUFZBXuaK6cQ1lQrafYbyL6YFuC4s7A3d3Fs5er9tM1A St526GFmtV/oWCJj+PREY+qJ6SS9dVzVmkTaFUgUqkLA63FkdIVakeqSWi1qZg8= =FLg2 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160803072120.GJ32095%40mail-itl. For more options, visit https://groups.google.com/d/optout.
