On Fri, Aug 11, 2017 at 4:41 AM, Nicolas Mojon <nicolas.mo...@gmail.com> wrote:
> Hi,
> I would like to know if on the new 4.0 it is possible to lock down data in a 
> VM like that nothing can go out of the VM (like no internet or copypaste 
> through dom0). I would like to make that specially for usb sticks or other 
> stocking device, that people can work on things on the usb in the VM but 
> nothing must be able to go out.
> Additionally to that, I would like to know if it is possible to use the 
> sys-usb vm but with an usb keyboard, cause for the moment, when I try to 
> implement it, it finish in a dead lock cause I cannot use the keyboard when 
> restarting. And even with the ask policy, it happens after the login so it is 
> pretty problematic and allow it completely,will probably cause a security 
> issue for my system on of the question above.
> Thank you in advance...
> Best regards
> Nicolas

You can put explicit deny rules for all qrexec services involving that
VM. Copy/paste evaluates qubes-rpc policy too, but with an implicit
undefined or ask meaning yes.

*HOWEVER*: To truly and completely accomplish this is pretty much
impossible with modern computer architectures unless you limit to only
one VM running at a time. There will likely always be ways to
establish covert channels between cooperating VMs due to hardware
side-channels, regardless of whatever Qubes might try to do to stop

See also: https://www.qubes-os.org/doc/data-leaks/


You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to