Unfortunately, in option rd.qubes.hide_all_usb, I will not be able to enter the LUKS password using the USB keyboard. Is it possible to hide a set of USB controllers (not all) from dom0?
Alan
Sent: Sunday, June 25, 2017 at 3:41 PM
From: Unman <[email protected]>
To: "Alan Got" <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: [qubes-users] Booting with dom0 exposed to usb controllers.
From: Unman <[email protected]>
To: "Alan Got" <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: [qubes-users] Booting with dom0 exposed to usb controllers.
On Sat, Jun 24, 2017 at 03:10:07PM -0300, Franz wrote:
> On Sat, Jun 24, 2017 at 12:16 PM, Alan Got <[email protected]> wrote:
>
> > Hi,
> > I'm using usb mouse and keyboard attached to InputVM (usb controler 1).
> > Another usb controller (2) is attached to UntrustedVM. When I need to
> > restart computer I'm disconnecting physically all usb devices attached to
> > controller (2). It is possible that controller (2) would compromise Qubes
> > at boot time?
> >
>
> I suppose that with the word "attached" you mean what in Qubes definitions
> is called "assigned".
>
> In this case can tell that when I tried to assign two different USB
> controllers to two different VMs, dom0 refused to do that claiming that the
> controllers were sharing some resources and so there was a security risk.
> So, if in your case you were allowed to do that, then your controllers
> should be really separated and that may be encouraging.
>
> best
> Fran
>
>
> > My mainboard don't have any PS/2 ports and my processor don't support TXT
> > (to use AEM), it only support IOMMU.
The boot option rd.qubes.hide_all_usb is intended to stop dom0 from
being compromised by a malicious controller. Since you have VT-d you
should be all right. (Check that you are booting with that option
obviously.)
unman
> On Sat, Jun 24, 2017 at 12:16 PM, Alan Got <[email protected]> wrote:
>
> > Hi,
> > I'm using usb mouse and keyboard attached to InputVM (usb controler 1).
> > Another usb controller (2) is attached to UntrustedVM. When I need to
> > restart computer I'm disconnecting physically all usb devices attached to
> > controller (2). It is possible that controller (2) would compromise Qubes
> > at boot time?
> >
>
> I suppose that with the word "attached" you mean what in Qubes definitions
> is called "assigned".
>
> In this case can tell that when I tried to assign two different USB
> controllers to two different VMs, dom0 refused to do that claiming that the
> controllers were sharing some resources and so there was a security risk.
> So, if in your case you were allowed to do that, then your controllers
> should be really separated and that may be encouraging.
>
> best
> Fran
>
>
> > My mainboard don't have any PS/2 ports and my processor don't support TXT
> > (to use AEM), it only support IOMMU.
The boot option rd.qubes.hide_all_usb is intended to stop dom0 from
being compromised by a malicious controller. Since you have VT-d you
should be all right. (Check that you are booting with that option
obviously.)
unman
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/trinity-686bead4-f99e-43a4-babe-fb0ac46afd50-1498471683279%403capp-mailcom-lxa10.
For more options, visit https://groups.google.com/d/optout.
