You're doing all this, BTW, because rather than supporting Thunderbolt and PCIe hotplug (which are usually protected by that device authorization you have to disable), Qubes is trying to protect users with FireWire and ExpressCard that are fundamentally insecure. I hope those extra 4 times a day you enter your dom0 decryption key on boot while using a dock aren't putting that key at extra risk or incentivising you to use a weaker key. :(
Yes, and that's also why Thunderbolt is disabled. It has full memory access and can likely bypass IOMMU = r/w access any VM on hotplug. So if you leave your laptop unattended for 5mins, someone can simply read/write the entire memory by just plugging in a USB type C stick into your thunderbolt port [1].
More broadly, I think the lack of hotplug support is a misguided trade-off that hampers the usability of Qubes and just creates one more barrier to adoption for users. Folks with firewire ports/expresscard slots and nation-state adversaries with physical access need to disable those ports/slots in BIOS rather than relying on lack of hotplug support to protect them. It's not that hard to hide something in an expresscard slot that will be there on boot, and then it's game over for dom0 even without hotplug.
True, that is somewhat more advanced though. State-level attackers have teams that can open and replace arbitrary hardware with malicious one within 15 mins, yes. So if you fear them, don't leave your laptop unattended anyway. In contrast your colleague sitting next to you at work can plug in a USB stick into your laptop and perform the thunderbolt attack whilst you're at lunch. Having someone physically take away your laptop or even dismantle it is a lot more suspicious.
Qubes OS is focusing on security and fortunately doesn't make security tradeoffs even for usability.
[1] http://thunderclap.io/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/eb20546b-093a-1508-0adf-3afd30316446%40hackingthe.net. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
