On Mon, Oct 10, 2016 at 10:27 AM, Unman <un...@thirdeyesecurity.org> wrote:
> On Mon, Oct 10, 2016 at 05:04:26AM +0000, 'David Shleifman' via > qubes-users wrote: > > The PC system has 2 USB hubs: the first one is used for USB jacks on the > front panel, the second one is used for USB jacks on the rear panel. Each > hub has 3 controllers: > > front.OHCI0 handles first 3 USB 1.1 devices that are plugged in (nothing > at the moment) > > front.OHCI1 handles next 3 USB 1.1 devices that are plugged in (nothing > at the moment) > > front.EHCI0 handles up to 6 USB 2.0 devices that are plugged in (DVD-RW > drive and flash stick at the moment) > > rear.OHCI0 handles first 3 USB 1.1 devices that are plugged in (USB > keyboard and USB mouse are plugged in persistently) > > > > rear.OHCI1 handles next 3 USB 1.1 devices that are plugged in (nothing > at the moment) > > > > rear.EHCI0 handles up to 6 USB 2.0 devices that are plugged in (Web > camera, and CD-RW drive are plugged in persistently) > > I followed the recommendation at https://www.qubes-os.org/doc/ > usb/#creating-and-using-a-usb-qube. After running > > [dom0]$ qubesctl top.enable qvm.sys-usb > > > > [dom0]$ qubesctl state.highstate > > > > all 6 controllers have been assigned to sys-usb qube. It looks like a > very bad idea to mix security sensitive devices such as keyboard/mouse with > other devices. Where do I go from this point? > > > > A) Split controllers into two groups and assign each group to a > different sys-usb qube? Keyboard/mouse shall end up in a first group, while > other devices shall end up in the second group. Is this break down in line > with the security guidelines (see https://www.qubes-os.org/doc/usb/)? > > > > > > B) Stay with a single sys-usb qube and assign rear.OHCI0 controller back > to dom0? Do > > I need to remove "sys-usb dom0 ask" from > > /etc/qubes-rpc/policy/qubes.InputKeyboard? > Do I need to remove > > GRUB_CMDLINE_LINUX rd.qubes.hide_all_usb from /etc/default/grub ? How > to instruct GRUB to hide all controllers except rear.OHCI0 ? > > I wouldn't assign back to dom0. > There's no reason why you shouldn't adopt some variation on A, and have > different qubes handling different controllers. Of course, you'd have to > make sure that you follow a consistent pattern with use of sockets. > You could enforce this with configuration in the policy file, and by > some udev rules to block anything except storage devices in the relevant > ports. > > I am planning to do something like them with my Lenovo x230 that has a docking station with some USB ports. There should be an independent controller in the docking station. When I detach the laptop from the docking station the second sys-usb will be unable to find its assigned controller and will give some error, but should be no problem. Then I may use the USB controller on laptop for more dirty stuff and the controller on the docking station for connecting Trezor for bitcoin transactions and similar more delicate tasks. Best Fran > unman > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/qubes-users/20161010132724.GC18661%40thirdeyesecurity.org. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qD9GhWDXxe2L_qQsXt9bXFvkzdK9c-HVKYfeMMpx6d3bg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
