On Fri, Aug 11, 2017 at 4:41 AM, Nicolas Mojon <nicolas.mo...@gmail.com> wrote:
> I would like to know if on the new 4.0 it is possible to lock down data in a
> VM like that nothing can go out of the VM (like no internet or copypaste
> through dom0). I would like to make that specially for usb sticks or other
> stocking device, that people can work on things on the usb in the VM but
> nothing must be able to go out.
> Additionally to that, I would like to know if it is possible to use the
> sys-usb vm but with an usb keyboard, cause for the moment, when I try to
> implement it, it finish in a dead lock cause I cannot use the keyboard when
> restarting. And even with the ask policy, it happens after the login so it is
> pretty problematic and allow it completely,will probably cause a security
> issue for my system on of the question above.
> Thank you in advance...
> Best regards
You can put explicit deny rules for all qrexec services involving that
VM. Copy/paste evaluates qubes-rpc policy too, but with an implicit
undefined or ask meaning yes.
*HOWEVER*: To truly and completely accomplish this is pretty much
impossible with modern computer architectures unless you limit to only
one VM running at a time. There will likely always be ways to
establish covert channels between cooperating VMs due to hardware
side-channels, regardless of whatever Qubes might try to do to stop
See also: https://www.qubes-os.org/doc/data-leaks/
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to email@example.com.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.