On Mon, Jan 01, 2018 at 09:20:46PM -0800, [email protected] wrote: > So from the installation security guide I read the following: > "Use a USB optical drive. > Attach a SATA optical drive to a secondary SATA controller, then assign this > secondary SATA controller to an AppVM." > > And for USB Drive: > "Untrustworthy firmware. (Firmware can be malicious even if the drive is new. > Plugging a drive with rewritable firmware into a compromised machine can also > compromise the drive. Installing from a compromised drive could compromise > even a brand new Qubes installation.)" > > Do usb optical drives not also have the same problem firmware wise? > > What about sata? >
I remember some years back playing with WD hard drives, and reflashing the firmware: it was possible to effectively engineer an exploit that could spread across disks, and infect hosts. We spent a little time working on the controllers, before we realised the obvious - that by that stage the game was already lost. If you were inside the box you had control anyway. The principal risk in USB is exactly it's versatility and accessibility. (I don't include eSATA and eSATAp here.) So Yes, USB optical drives carry the same risks identified under the USB drive heading.And it Is possible to attack SATA controllers, but far less likely than for USB. And frankly, you have to trust *something*. When you come to install Qubes, you are trusting that your hardware isn't already backdoored, as made clear in the first para. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180102232047.cjoguybtznzkqmi3%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
