Hi, I am wondering a bit what this USB & NetVM shielding are really buying me. I am switching from a laptop to a desktop, so it may remain unattended for quite a while and thus could be exposed to hardware access... The hardware access will be mild, meaning I could imagine someone to compromise a bootloader or install a malicious device.
Now say that install an internal USB controller to which I connect an SD-Card reader, which in turn uses Anti-Evil-Maid to boot the machine. This controller needs to be whitelisted. But since it is internal and will only provide one slot for the card reader, the machine will not boot properly without this setup. Still, someone could compromise this setup. So lets say I had a PCI-Express card reader, which seems to not be available for desktops... Wouldn't this pose the same problem? PCI-Express also has DMA access. How does Qubes know that a particular PCI-Express device can be safely attached to Dom0 (like a SD card reader on a laptop, which is usually PCI-Express)? If the PCI-Express device is compromised, wouldn't it compromise Dom0? Anyway I am trying to wrap my head around what I can and can not protect against. It seems as if Qubes OS is useless in protecting against hardware access. Even with TPM, I am not sure how realistic it is. Will AEM be triggered when changing USB controllers or adding hostile USB devices to the one whilelisted controller that manages the AEM device? If not, what is the point of AEM? How is AEM any better than simply putting the bootloader on a separate disk? Okay, it gives a bit better piece of mind that really MY bootloader was used, but that is about it, right? It won't help against someone adding compromised devices to a PCI-E slot or USB?! Any links or help here? Btw, its really hard to find any useful information via Google about most topics regarding Qubes OS. Is Qubes OS somehow downranked intentionally? Cheers Chris -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/suUnD0yJpvEF22zlFlIRDF10NkbqtaPsbbmZwiQz0lErvA9-HmGLGX49d_s7GjytL7x3hy84XNR33F_Ip6P3pOzaNtWFHqAkfuw9FM1qX-E%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
