On Sat, Jun 24, 2017 at 03:10:07PM -0300, Franz wrote: > On Sat, Jun 24, 2017 at 12:16 PM, Alan Got <[email protected]> wrote: > > > Hi, > > I'm using usb mouse and keyboard attached to InputVM (usb controler 1). > > Another usb controller (2) is attached to UntrustedVM. When I need to > > restart computer I'm disconnecting physically all usb devices attached to > > controller (2). It is possible that controller (2) would compromise Qubes > > at boot time? > > > > I suppose that with the word "attached" you mean what in Qubes definitions > is called "assigned". > > In this case can tell that when I tried to assign two different USB > controllers to two different VMs, dom0 refused to do that claiming that the > controllers were sharing some resources and so there was a security risk. > So, if in your case you were allowed to do that, then your controllers > should be really separated and that may be encouraging. > > best > Fran > > > > My mainboard don't have any PS/2 ports and my processor don't support TXT > > (to use AEM), it only support IOMMU.
The boot option rd.qubes.hide_all_usb is intended to stop dom0 from being compromised by a malicious controller. Since you have VT-d you should be all right. (Check that you are booting with that option obviously.) unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170625134154.pb2hq2mw4udnukqv%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
